Emergency Patch for Microsoft ASP.NET Oracle Padding
Microsoft released a so called "out of
band" patch to fix a vulnerability in Microsoft
ASP.NET that could potentially disclose sensitive information.
The vulnerability exists in ASP.NET due
to improper error handling during encryption padding verification.
An attacker who successfully exploited this vulnerability
could read any file within the ASP.NET application,
including the web server configuration information, even if
it was encrypted by the server.
With any vulnerability that prompts an
out-of-band patch, it is extremely critical that you address the
vulnerability as soon as possible if you have vulnerable systems, but
don't panic; most Windows systems will not be affected by this
Warning: Proof-of-concept code for the
vulnerability has been published, limited attack have been observed,
and attempts to bypass workarounds have been observed.
(A "warning" alert is for a situation that are currently occurring or
conditions are right for the situation to occur soon.)
Severity: High (in some specific
configurations). Information disclosure is not typically a high
priority vulnerability, but if a web server includes sensitive
information used to connect to other web server, for example, your web
server connects to PayPal to accept payments or if sensitive
information is contained in an Internet facing web site using
SharePoint, disclosure of that could he a high priority vulnerability.
Microsoft rated the the vulnerability "Important".
They released the patch before the regularly scheduled
monthly update because of the potential danger and because of active
- Microsoft .NET 1.1, 2.0, 3.0, 3.0 and 4.0
You are not at risk unless you run a web server
using Microsoft ASP.NET
that can be accessed from the Internet. Most consumers and
desktop systems are not at risk.
Systems with .NET installed but no web server are
not vulnerable; however, vulnerable code is present and the system
would become vulnerable if it starts running a web site.
Microsoft automatic update mechanisms (when the patch is
released via those mechanisms) will likely patch these systems, but
there is no urgency to patch these systems.
How Are Systems Compromised?
The vulnerability allows an attacker to send
cipher text to the web server and learn if it was decrypted properly by
examining which error code was returned by the web server. By making
many such requests (and watching what errors are returned) the attacker
can learn enough to successfully decrypt the sensitive information.
Does the Patch Fix the Vulnerability?
ASP.NET will use signing as well as encryption. Microsoft
believes that this is a change to a very small part of the .NET code
and the risk of that isolated change is small.
Are There Any Known Compatibility
No, Microsoft has done testing and found no compatibility issues.
However, there is no guarantee that some configuration that
Microsoft did not test will not have problems.
Does the Patch Required Any Code
No, the patch is sufficient to fix the
vulnerability without any code or configuration change to your existing
Is a Patch Needed for SharePoint or
Exchange Outlook Web Access?
No, the ASP.NET patch is sufficient to fix the vulnerability without a patch for SharePoint or Microsoft Exchange.
If I Installed the Workaround, Do I
need to Install the Patch, to Uninstall the Workaround Before
Installing the Patch?
Yes, you should install the patch as attempts to defeat the workaround
have been observed. No, it is not necessary to remove the workaround
before installing the patch.
Do I Protect My Computer?
If you have a vulnerable web server (see Affected
Software above) and you store sensitive information encrypted by the
web server, you should test and install the patch in Microsoft Security
Bulletin MS10-070 as quickly as possible.
If you have multiple versions of .NET installed,
you will need to install multiple patches and Microsoft recommends
installing them from the lowest version to the highest version.
Knowing what versions of .NET are installed can be
challenging. Using IIS Manager to check the ASP.NET version
is not sufficient as it displays only the first three parts of the
version and the patch does not change those parts of the version.
You can use http://user-agent-string.info/
and click on Analyze my UA to view the user agent string in your
Internet Explorer browser to determine what versions of .NET you have
installed. You can also use Microsoft KB article 318785
"How to determine what versions and service pack level of the Microsoft
.NET are installed".
On Tuesday, September 28, 2010, Microsoft released
the patch via their download site. It will be necessary to
manually download and install the appropriate versions of the patch.
The download center has 27 different downloads, targeting
.Net 1.1 through 4.0 on x86, x64, and IA64. The patch will be
released via Microsoft Update, Automatic Update, WSUS, SMS, and other
automatic update mechanisms after Microsoft tests those detection and
deployment mechanisms, which should be a few days.
Scott Gu's ASP.NET blog
has a table that lists downloads of the patches that
correspond to the Operating system and .NET versions you are running.
If you have a web server farm, all active web
servers must be upgraded at the same time.
Historically .NET updates have
been some of the most troublesome updates to install.
If you install these updates and have problems with the
installation, you might have to use Aaron Stebner's Removal tool to fix .NET Framework install failures
to remove all versions of .NET and reinstall them.
Microsoft Security Bulletin:
Microsoft Security Advisory 2416728
Internet Storm Center Diary: http://isc.sans.edu/diary.html?storyid=9625
US CERT: http://www.us-cert.gov/current/index.html#microsoft_releases_security_bulletin_ms10
ScottGu's ASP.NET blog
Microsoft Security Response Center (MSRC)
Research & Defense Blog
Microsoft Tips & Talk Blog (Consumer)
After much research, evaluation, and consultation
with Microsoft and other consultants, we have concluded that the risk
of the ASP.NET vulnerability is either non-existent or very low for the
configuration of servers under Managed Care, and the risk of
installing .NET updates does not outweigh the potential
vulnerability. So, we are going to hold
off installing .NET patches until either we get any
information that the system is more vulnerable that we currently
understand or the next regularly patch cycle and Microsoft
updates their detection logic.
If you need assistance installing protection from
this vulnerability or a security assessment, IT Professional
can help. Call our
out more about our managed care service.
To find out how vulnerable your network is
schedule a free network security analysis today.
We at IT Professional Services (ITPS)
hope that the information in this bulletin is valuable to you. ITPS
believes the information provided herein is reliable. While care has
been taken to ensure accuracy, your use of the information contained in
this bulletin is at your sole risk. All information in this bulletin is
provided "as-is", without any warranty, whether express or implied, of
its accuracy, completeness, fitness for a particular purpose, title or
non-infringement, and none of the third-party products or information
mentioned in the bulletin are authored, recommended, supported or
guaranteed by ITPS. ITPS shall not be liable for any damages you may
sustain by using this information, whether direct, indirect, special,
incidental or consequential, even if it has been advised of the
possibility of such damages.