These postings are provided "AS IS" with no warranties, and confers no rights. You assume all risk for your use.
Resident Bloggers
Chris Di LulloSr. IT Pro Marketing ManagerTwitter | LinkedIn
Jonathan RozenblitTechnology AdvisorMicrosoft Canada
Stephen IbarakiIndustry AnalystFCIPS, I.S.P., ITCP/IP3P, DFNPA, CNP, FGITCA, MVP
Today, as part of Microsoft’s ongoing commitment to protect its customers with security updates and the latest guidance on the threat landscape, the company is releasing MS10-070 as an out-of-band security update. The update addresses a vulnerability in ASP.NET, as described in Security Advisory 2416728, and carries a maximum severity rating of Important and an Exploitability Index rating of 1. As outlined in the advisory, the vulnerability affects ASP.NET framework on Windows XP, Windows Vista, Windows 7, and Windows Server 2003 and 2008 and Windows Server 2008 R2.
Microsoft recommends that its customers deploy the update as soon as possible to help protect their computers from criminal attacks. Please see the Microsoft Security Response Center (MSRC) blog for more details.
As always, please let us know if you have any questions!
What is the purpose of this alert?
This alert is to provide you with an overview of the new security bulletin being released (out-of-band) on September 28, 2010.
New Security Bulletin Overview
Microsoft is releasing one new security bulletin (out-of-band) for newly discovered vulnerabilities:
Bulletin ID
Bulletin Title
Maximum Severity Rating
Vulnerability Impact
Restart Requirement
Affected Software
MS10-070
Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)
Important
Information Disclosure
May require a restart
Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
Note: Affected software listed above is an abstract. Please see the “Affected Software” section of the bulletin at the link in the left column above for complete details.
Executive Summary
This security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.
This security update is rated Important for all supported editions of ASP.NET except Microsoft .NET Framework 1.0 Service Pack 3. The security update addresses the vulnerability by additionally signing all data that is encrypted by ASP.NET.
This security update also addresses the vulnerability first described in Microsoft Security Advisory 2416728.
Public Bulletin Webcast
Microsoft will host a webcast to address customer questions on this bulletin:
Title: Information about Microsoft’s September 2010 (OOB) Security Bulletin Release (Level 200)
Date: Tuesday, September 28, 2010, 1:00 P.M. Pacific Time (U.S. and Canada)
URL: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032464130
Public Resources Related to This Alert
· Security Bulletin MS10-070 – Vulnerability in ASP.NET Could Allow Information Disclosure (2418042): http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx
· Security Advisory 2416728 – Vulnerability in ASP.NET Could Allow Information Disclosure: http://www.microsoft.com/technet/security/advisory/2416728.mspx
· Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/msrc/
· Microsoft Security Research & Defense (SRD) Blog: http://blogs.technet.com/srd/
· Microsoft Malware Protection Center (MMPC) Blog: http://blogs.technet.com/mmpc/
New Security Bulletin Technical Details
In the following tables of affected and non-affected software, software editions that are not listed are past their support lifecycle. To determine the support lifecycle for your product and edition, visit the Microsoft Support Lifecycle web site at http://support.microsoft.com/lifecycle/.
Bulletin Identifier
Microsoft Security Bulletin MS10-070
This security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server.
Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system. In Microsoft .NET Framework 3.5 Service Pack 1 and above, this vulnerability can also be used by an attacker to retrieve the contents of any file within the ASP.NET application, including web.config.
The security update addresses the vulnerability by additionally signing all data that is encrypted by ASP.NET.
Severity Ratings and Affected Software
This security update is rated Important for all supported editions of ASP.NET except Microsoft .NET Framework 1.0 Service Pack 3.
CVE
CVE-2010-3332 - ASP.NET Padding Oracle Vulnerability
Attack Vectors
To exploit this vulnerability, an attacker would send cipher text via a Web request to an affected server to determine whether the text was decrypted properly by examining the error code returned by the website. An attacker who made enough of these requests could learn enough information to read or tamper with the encrypted data.
Mitigating Factors
Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.
Workarounds
Enable a UrlScan or Request Filtering rule, enable ASP.NET custom errors, and map all error codes to the same error page. For specific steps, see the “Workaround” section of the bulletin at the link below.
This update may require a restart.
Bulletins Replaced by This Update
MS10-041 and MS09-036 on specific versions of Microsoft .NET Framework on specific operating systems. For specific details, see the “Affected Software” section of the bulletin at the link below.
Disclosure Status:
Exploit Status:
This vulnerability was publicly disclosed prior to release. More information is contained in Microsoft Security Advisory 2416728.
This vulnerability has been exploited in the wild at release.
Full Details
http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx