Support Overview

Help Desk

Online Service Request

Emergency IT Support

Security Alerts

Computer Usage Tips

Security Alerts

Security Warning:  Emergency Patch for Microsoft ASP.NET Oracle Padding Vulnerability (MS10-070)

Microsoft released a so called "out of band" patch to fix a vulnerability in Microsoft ASP.NET that could potentially disclose sensitive information.

The vulnerability exists in ASP.NET due to improper error handling during encryption padding verification.  An attacker who successfully exploited this vulnerability could read any file within the ASP.NET application, including the web server configuration information, even if it was encrypted by the server. 

With any vulnerability that prompts an out-of-band patch, it is extremely critical that you address the vulnerability as soon as possible if you have vulnerable systems, but don't panic; most Windows systems will not be affected by this vulnerability.

Threat Level

Warning:  Proof-of-concept code for the vulnerability has been published, limited attack have been observed, and attempts to bypass workarounds have been observed.

(A "warning" alert is for a situation that are currently occurring or conditions are right for the situation to occur soon.)

Severity:  High (in some specific configurations). Information disclosure is not typically a high priority vulnerability, but if a web server includes sensitive information used to connect to other web server, for example, your web server connects to PayPal to accept payments or if sensitive information is contained in an Internet facing web site using SharePoint, disclosure of that could he a high priority vulnerability.

Microsoft rated the the vulnerability "Important".  They released the patch before the regularly scheduled monthly update because of the potential danger and because of active attacks.

Affected Software

  • Microsoft .NET 1.1, 2.0, 3.0, 3.0 and 4.0

You are not at risk unless you run a web server using Microsoft ASP.NET that can be accessed from the Internet.  Most consumers and business desktop systems are not at risk.

Systems with .NET installed but no web server are not vulnerable; however, vulnerable code is present and the system would become vulnerable if it starts running a web site.  Microsoft automatic update mechanisms (when the patch is released via those mechanisms) will likely patch these systems, but there is no urgency to patch these systems.

How Are Systems Compromised?

The vulnerability allows an attacker to send cipher text to the web server and learn if it was decrypted properly by examining which error code was returned by the web server. By making many such requests (and watching what errors are returned) the attacker can learn enough to successfully decrypt the sensitive information.

How Does the Patch Fix the Vulnerability?

ASP.NET will use signing as well as encryption.  Microsoft believes that this is a change to a very small part of the .NET code and the risk of that isolated change is small.

Are There Any Known Compatibility Issues?

No, Microsoft has done testing and found no compatibility issues.  However, there is no guarantee that some configuration that Microsoft did not test will not have problems.

Does the Patch Required Any Code Changes?

No, the patch is sufficient to fix the vulnerability without any code or configuration change to your existing ASP.NET applications.

Is a Patch Needed for SharePoint or Exchange Outlook Web Access?

No, the ASP.NET patch is sufficient to fix the vulnerability without a patch for SharePoint or Microsoft Exchange.

If I Installed the Workaround, Do I need to Install the Patch, to Uninstall the Workaround Before Installing the Patch?

Yes, you should install the patch as attempts to defeat the workaround have been observed. No, it is not necessary to remove the workaround before installing the patch.

How Do I Protect My Computer?

If you have a vulnerable web server (see Affected Software above) and you store sensitive information encrypted by the web server, you should test and install the patch in Microsoft Security Bulletin MS10-070 as quickly as possible.

If you have multiple versions of .NET installed, you will need to install multiple patches and Microsoft recommends installing them from the lowest version to the highest version.  Knowing what versions of .NET are installed can be challenging.  Using IIS Manager to check the ASP.NET version is not sufficient as it displays only the first three parts of the version and the patch does not change those parts of the version.  You can use and click on Analyze my UA to view the user agent string in your Internet Explorer browser to determine what versions of .NET you have installed.  You can also use Microsoft KB article 318785 "How to determine what versions and service pack level of the Microsoft .NET are installed".

On Tuesday, September 28, 2010, Microsoft released the patch via their download site.  It will be necessary to manually download and install the appropriate versions of the patch.  The download center has 27 different downloads, targeting .Net 1.1 through 4.0 on x86, x64, and IA64.  The patch will be released via Microsoft Update, Automatic Update, WSUS, SMS, and other automatic update mechanisms after Microsoft tests those detection and deployment mechanisms, which should be a few days.

Scott Gu's ASP.NET blog has a table that lists downloads of the patches that correspond to the Operating system and .NET versions you are running.

If you have a web server farm, all active web servers must be upgraded at the same time.

Historically .NET updates have been some of the most troublesome updates to install. If you install these updates and have problems with the installation, you might have to use Aaron Stebner's Removal tool to fix .NET Framework install failures to remove all versions of .NET and reinstall them.

More Information

Security Advisories
Microsoft Security Bulletin:
Microsoft Security Advisory 2416728
Internet Storm Center Diary:

ScottGu's ASP.NET blog
Microsoft Security Response Center (MSRC) Blog
Microsoft Security Research & Defense Blog
Microsoft Tips & Talk Blog (Consumer)

Managed Services

After much research, evaluation, and consultation with Microsoft and other consultants, we have concluded that the risk of the ASP.NET vulnerability is either non-existent or very low for the configuration of servers under Managed Care, and the risk of installing .NET updates does not outweigh the potential vulnerability.  So, we are going to hold off installing .NET patches until either we get any information that the system is more vulnerable that we currently understand or the next regularly patch cycle and Microsoft updates their detection logic.

Professional Services

If you need assistance installing protection from this vulnerability or a security assessment, IT Professional Services can help. Call our help desk.

Find out more about our managed care service.

To find out how vulnerable your network is schedule a free network security analysis today.

We at IT Professional Services (ITPS) hope that the information in this bulletin is valuable to you. ITPS believes the information provided herein is reliable. While care has been taken to ensure accuracy, your use of the information contained in this bulletin is at your sole risk. All information in this bulletin is provided "as-is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the bulletin are authored, recommended, supported or guaranteed by ITPS. ITPS shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Privacy Policy

© 2009-2013 IT Professional Services All rights are reserved.  (805) 650-6030