MS10-070 OOB Patch for ASP.NET vulnerability

Published: 2010-09-28
Last Updated: 2010-09-30 00:20:37 UTC
by Daniel Wesemann (Version: 5)
27 comment(s)

Microsoft Bulletin MS10-070 has been released. An update is now available that addresses the ASP.NET "information disclosure" vulnerability (CVE-2010-3332) that we reported on earlier 

The core pieces in the advisory are probably in the sections that read

"In Microsoft .NET Framework 3.5 Service Pack 1 and above, this vulnerability can be used by an attacker to retrieve the contents of any file within the ASP.NET application, including web.config"   and  "This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server." 

Translated, this means that the vulnerability undermines basic web application security. I suspect that online shops and such might rate the risk that "an attacker can read any file" on their web application server a bit higher than just "important".

According to the bulletin, MSFT are aware of "active attacks".

In combination, this sure sounds like PATCH NOW! to me.

 

Update 1800UTC: If you're wondering what a "Padding Oracle" is, the original attack is described very well in this research paper .

Update 1830UTC: Changing InfoCon to YELLOW, to raise awareness for this problem and patch. We'll go back to GREEN in 24hrs unless significant new information develops.

Update 00:13 UTC: Changing InfoCon back to Green. Most people should be well and truly aware of the issue. We may raise it again if we receive reports of widespread use or other changes.  

27 comment(s)

Comments

yeah, like Microsoft would release an "important" patch out of band...
My favorite part of the bulletin. "Why are the updates only available from the Microsoft Download Center? Due to the active attacks currently exploiting this vulnerability and the severity of potential loss of data, we are releasing these updates to the Microsoft Download Center so that customers can begin updating their systems as soon as possible. These updates will also be provided through our other standard distribution methods once testing has been completed to ensure distribution will be successful through these channels." In a nutshell, there is no support yet for using DSUW, WU, MU, SMS ITMU, or anything else to deploy these patches. It's not a big deal for workstations, since you shouldn't be running IIS on workstations and should be shields up 24x7 even on your internal LAN on your workstations. And for servers, you can always get something pushed out to the boxes you know are running ASP.NET.
so, is this officially "PATCH NOW" or not??
@dt, yes it is. You mileage might vary though - the patch is only available through Download Center for now, and not yet via the automated channels. But if you have a valuable internet facing server that is affected by the vulnerability, yes, *test* and then patch asap.
27 different downloads, targeting .Net 1.1 through 4.0 on x86, x64, and IA64. Download Center ridiculousness. And you can’t do a rolling upgrade on a web farm! The patch changes the length of encrypted strings, especially in WebResource.axd files, so unpatched machines can’t concurrently run on the same farm as patched machines.
http://isc.sans.edu/images/status.gif is still green...
@Ken, if you move away from the PC fast enough, the doppler effect will make it look like yellow. OKOK, you're right, we're working on it :)
@Joey
Where did you get your information about needing to push out the patch all at once or having your farm break? Anyone else know if this is true?.. Trying to decided if should implement this patch or wait for reports of broken farms.
Is this still considered a patch now if the two workarounds are in place?
Is this still considered a patch now if the two workarounds are in place?

Diary Archives