Microsoft announced a serious security vulnerability in ASP.NET that allows an attacker to gain unauthorized access to files within your web site, including the web.config file which can contain sensitive information such as database login.

You can review the technical details of this vulnerability on Scott Guthrie’s blog:

Since Microsoft has not released a patch for this problem, we recommend that our customers do the following:

  • Update your web application with the workaround recommended in the above posts and enable <customErrors>
  • Encrypt your web.config file as recommended by Scott Guthrie for best practices in this FAQ. We describe how to encrypt your web.config file in this Knowledge Base article.

Microsoft has also created a forum on the ASP.net site to field questions about this security vulnerability.

Frank Cheung
CTO

 

9 Responses to “ASP.NET Security Vulnerability and What To Do About It”

  1. [...] This post was mentioned on Twitter by Joseph Guadagno, Rich O'Connor. Rich O'Connor said: RT @Discountasp: New Blog Post – ASP.NET Security Vulnerability and What To Do About It – http://cot.ag/bxN0CR Please ReTweet [...]

  2. anthony says:

    The update is now available to fix this problem:
    http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-update-now-available.aspx

    Do you know when you’re going to apply it to your web servers?

    Anthony

    • Robert says:

      Yes… can you schedule this ASAP and keep us informed. The temp fix makes it difficult to develop since you lose the feedback when encountering errors. Thx.

  3. Frank says:

    We have already started the process of testing the hotfix in development yesterday. From what I hear from our sysadmin team, the installation is a pain because multiple patches needs to be applied (one for each framework version)

    Please understand that this update is an out-of-band update and has no automatic deployment with Windows Update. Patching the servers is a manual process and can take a while for us to patch all the servers.

  4. Tom says:

    Any update on this yet?

    • mjp says:

      Yes, I’m about to post in the maintenance forum (check there for details), but we will be starting the fixes tomorrow evening.

  5. Sandra Holman says:

    Today, 11/4/2010, I received a security warning when I attempted to go to my mail. What is going on? All the info I see here is from last month! Are you working on a new fix?

    • mjp says:

      We are in contact with Microsoft in an attempt to have the affected servers removed from their security list. It appears at this time that many providers were affected, so we are assuming that there was an error on Microsoft’s part that caused the server to be flagged as “unsafe.”

      If you are still experiencing the issue, you can temporarily disable the Microsoft security check in order to access your email. The quickest method is:

      - Click “Safety” in the upper right corner of the browser.
      - Highlight “Smart Screen Filter”
      - Click “Turn Off Smart Screen Filter”

      Alternately, to add your webmail URL to your list of trusted web sites and turn SmartScreen Filter off for that site:

      - Click to open Internet Explorer.
      - Navigate to the web site that you want to add to the list of trusted sites.
      - Click the Tools button, and then click Internet Options.
      - Click the Security tab, and then click Trusted sites.
      - Click the Sites button.
      - The web site address should appear in the Add this web site to the zone box.
      - If the site is not a secure site (HTTPS), clear the Require server verification (https:) for all sites in this zone check box.
      - Click Add, and then click Close.
      - On the Security tab, click Custom level.
      - In the Security Settings dialog box, scroll to find Use SmartScreen Filter, and then click Disable.
      - Click OK, and then click OK again.

Leave a Reply

iBlog by PageLines