Microsoft Revises ASP.NET Security Advisory
- By Kurt Mackie
- Sep 27, 2010
Microsoft on late Friday published yet another revision to its security advisory on ASP.NET systems.
Security advisory 2416728 now bears a revision date of Sept. 24, 2010, although it was revised once before. In this latest release, Microsoft added an additional workaround step for IT pros to carry out. This step involves running a free Microsoft program called "UrlScan" designed to verify HTTP server requests. The current version of this tool, UrlScan 3.1, works with Internet Information Services (IIS) 5.1, 6.0 and 7.0 on Windows systems.
Microsoft has described this problem associated with ASP.NET systems as an information disclosure vulnerability. Security info can be gleaned through a "padding oracle" exploit. Essentially, an attacker can gain information from the server's "oracle" by sending flawed requests and interpreting the returned error messages. The oracle (an encryption component not associated with Oracle products) essentially needs to stop talking so much about its security settings.
An attacker can get password information from "cookies, ViewState, URL strings [and] hidden fields" from systems using ASP.NET and change the encrypted information, according to Microsoft blogger Vlad Azarkhin. By changing that information and querying the server, the attacker may gain enough information to impersonate the administrator, gaining access to the server, Azarkhin explained.
The objective in running UrlScan is to block "requests that specify the applications error path on the querystring," according to the revised workaround steps in the security advisory. Microsoft's general workaround solution is to configure ASP.NET to send a single error page, rather than a series of specific messages from the oracle, according to Azarkhin's latest blog post. He described the workaround as "not enough" but "vital" to apply. He noted that this problem is not specific to Microsoft products but was first discovered with the Java Server Faces Framework.
Microsoft revised the security advisory to update its workaround, but the advisory specifically states that IT pros who applied the workaround previously need to go through all of the steps again.
"Customers who have already applied the workaround need to reapply all listed steps."
That language seems clear. And while a blog by Scott Guthrie, corporate vice president of Microsoft's .NET developer platform, and a blog by Dave Forstrom, director of trustworthy computing at Microsoft, both described the UrlScan addition to the workaround as an "additional step" to take, it's an additional step on top of going through the workaround steps all over again.
The vulnerability is also associated with other Microsoft products that rely on ASP.NET, including SharePoint and Exchange. All Exchange systems, starting from Exchange 2003, are potentially affected and require the workaround, according to this Microsoft blog.
Another Microsoft blog states that the workaround needs to be applied for systems using "SharePoint 2010, SharePoint Foundation 2010, Microsoft Office SharePoint Server 2007, Windows SharePoint Services 3.0 [and] Windows SharePoint Services 2.0." It doesn't need to be applied for systems using "SharePoint Portal Server 2003."
Microsoft opened a forum page on the ASP.NET vulnerability to address questions. The company is working on a patch, but advises IT pros to use the workaround in the mean time.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.