Este alerta vem notificá-lo que a Microsoft publicou o Artigo de Segurança 2416728 – Vulnerability in ASP.NET Could Allow Information Disclosure – em 17 de Setembro de 2010.

RESUMO

A Microsoft está a investigar novos relatos públicos de uma vulnerabilidade no ASP.NET. Um atacante que explorasse esta vulnerabilidade poderia ver dados, tal como o View State, que foi encriptado pelo servidor alvo, ou ler dados de ficheiros no servidor alvo, tal como o web.config. Isto permitiria ao atacante interferir com o conteúdo dos dados. Enviando o conteúdo alterado de volta para o servidor afectado, o atacante poderia observar os códigos de erro resultantes do servidor. De momento não estamos a par de ataques que tentem usar as vulnerabilidades reportadas.

Estamos a trabalhar com com parceiros do nosso programa MAPP (Microsoft Active Protections Program) para disponibilizar informação que eles possam usar para disponibilizar protecções mais alargadas aos clientes.

Após conclusão desta investigação a Microsoft irá tomar as acções apropriadas para ajudar a proteger os nossos clientes. Isto poderá incluir disponibilizar uma actualização de segurança através do nosso processo de publicação mensal, ou disponibilizando uma actualização de segurança fora do ciclo mensal, dependendo das necessidades dos utilizadores.

FACTORES MITIGANTES

· A Microsoft não identificou nenhuma mitigação para esta vulnerabilidade.

Software AFECTADO

Sistema Operativo

Componente

Windows XP

Windows XP Media Center Edition 2005 and Windows XP Tablet PC Edition 2005

Microsoft .NET Framework 1.0 Service Pack 3

Windows XP Service Pack 3

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows XP Professional x64 Edition Service Pack 2

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Server 2003

Windows Server 2003 Service Pack 2

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Server 2003 x64 Edition Service Pack 2

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Server 2003 with SP2 for Itanium-based Systems

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Vista

Windows Vista Service Pack 1

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Vista Service Pack 2

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Vista x64 Edition Service Pack 1

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Vista x64 Edition Service Pack 2

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Server 2008

Windows Server 2008 for 32-bit Systems

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Server 2008 for x64-based Systems

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Server 2008 for Itanium-based Systems

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Server 2008 for Itanium-based Systems Service Pack 2

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows 7

Windows 7 for 32-bit Systems

Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.0

Windows 7 for x64-based Systems

Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.0

Windows Server 2008 R2

Windows Server 2008 R2 for x64-based Systems

Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.0

Windows Server 2008 R2 for Itanium-based systems

Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.0

Recomendações

Reveja o Artigo de Segurança Microsoft 2416728 para um sumário deste problema, detalhes sobre os componentes afectados, factores mitigantes, workarounds, acções sugeridas, FAQs, e atalhos para recursos adicionais.

Recursos Técnicos

· Microsoft Advisory 2416728 – Vulnerability in ASP.NET Could Allow Information Disclosure: http://www.microsoft.com/technet/security/advisory/2416728.mspx

· Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/b/msrc/archive/2010/09/17/security-advisory-2416728-released.aspx

· Microsoft Security Research & Defense (SRD) Blog: http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx

· Microsoft Malware Protection Center (MMPC) Blog: http://blogs.technet.com/mmpc/