News

Microsoft To Release Out-of-Band Patch for ASP.NET Security Flaw

• By Kurt Mackie
• September 27, 2010

Microsoft plans to release a patch on Tuesday for a security issue associated with ASP.NET systems.

On late Friday, the company published yet another revision to its security advisory on ASP.NET systems, which added another step for IT pros applying a workaround solution. However, by early this afternoon on Monday, Microsoft announced a forthcoming patch, which will come outside the company's monthly security update cycle. The patch, rated "important," can be expected to arrive by "Tuesday, September 28, 2010 at approximately 10:00 AM PDT," according to Dave Forstrom, director of trustworthy computing at Microsoft, in a blog post.

Forstrom noted that the patch, which is described in Microsoft's advance notice bulletin, released today, will be made available initially through the Microsoft Download Center. Later, Microsoft will distribute it through other patch channels, such as Windows Update and Windows Server Update Services. He advised testing the patch beforehand. Later, the fix will be released more broadly through Microsoft's Automatic Update service.

Currently, security advisory 2416728 bears a revision date of Sept. 24, 2010, although it was revised once before. Microsoft added an additional workaround step for IT pros to carry out, but many IT pros likely will hold off for the patch coming on Tuesday. This additional step involves running a free Microsoft program called "UrlScan" designed to verify HTTP server requests. The current version of this tool, UrlScan 3.1, works with Internet Information Services (IIS) 5.1, 6.0 and 7.0 on Windows systems.

Microsoft has described this problem associated with ASP.NET systems as an information disclosure vulnerability. Security info can be gleaned through a "padding oracle" exploit. Essentially, an attacker can gain information from the server's "oracle" by sending flawed requests and interpreting the returned error messages. The oracle (an encryption component not associated with Oracle products) essentially needs to stop talking so much about its security settings.

An attacker can get password information from "cookies, ViewState, URL strings [and] hidden fields" from systems using ASP.NET and change the encrypted information, according to Microsoft blogger Vlad Azarkhin. By changing that information and querying the server, the attacker may gain enough information to impersonate the administrator, gaining access to the server, Azarkhin explained.

The objective in running UrlScan is to block "requests that specify the applications error path on the querystring," according to the revised workaround steps in the security advisory. Microsoft's general workaround solution is to configure ASP.NET to send a single error page, rather than a series of specific messages from the oracle, according to Azarkhin's latest blog post. He described the workaround as "not enough" but "vital" to apply. He noted that this problem is not specific to Microsoft products but was first discovered with the Java Server Faces Framework.

The revised security advisory specifically states that IT pros who applied the workaround previously need to go through all of the steps again. Likely, many IT pros will want to wait for the patch to arrive instead.

The vulnerability is associated with other Microsoft products that rely on ASP.NET, including SharePoint and Exchange. All Exchange systems, starting from Exchange 2003, are potentially affected and require the workaround or patch, according to this Microsoft blog.

Another Microsoft blog states that the workaround needs to be applied for systems using "SharePoint 2010, SharePoint Foundation 2010, Microsoft Office SharePoint Server 2007, Windows SharePoint Services 3.0 [and] Windows SharePoint Services 2.0." It doesn't need to be applied for systems using "SharePoint Portal Server 2003." 

Microsoft opened a forum page on the ASP.NET vulnerability to address questions. It also plans to hold a Webinar on Tuesday, Sept. 28, 2010 at 1:00 p.m. Pacific Daylight Time to answer questions from customers. The sign-up page can be accessed here.