IEC Update: Microsoft Releases Out-of-Band Security Update to Address ASP.NET Vulnerability Forwarded information from the IEC.......Harriet
Jerry Cochrane, Coordinator Iowa Educators Consortium 1120 33rd Avenue SW Cedar Rapids, IA 52404 Phone: 319-399-6741, (800) 798-9771, Ext. 6741 Fax: 319-399-6474 Email: jcochr...@gwaea.org IEC Website: www.iec-ia.org -------------------------------------------------------------------------------- Subject: Alert - Microsoft Releases Out-of-Band Security Update to Address ASP.NET Vulnerability Today, as part of Microsoft's ongoing commitment to protect its customers with security updates and the latest guidance on the threat landscape, the company is releasing MS10-070 <http://www.microsoft.com/technet/security/Bulletin/MS10-070.mspx> as an out-of-band security update. The update addresses a vulnerability in ASP.NET, as described in Security Advisory 2416728 <http://www.microsoft.com/technet/security/advisory/2416728.mspx> , and carries a maximum severity rating of Important and an Exploitability Index rating of 1. As outlined in the advisory, the vulnerability affects ASP.NET framework on Windows XP, Windows Vista, Windows 7, and Windows Server 2003 and 2008 and Windows Server 2008 R2. Microsoft recommends that its customers deploy the update as soon as possible to help protect their computers from criminal attacks. Please see the Microsoft Security Response Center (MSRC) <http://blogs.technet.com/b/msrc/> blog for more details. As always, please let us know if you have any questions! Best, Gary Kono Microsoft-Consortia Inside Account Manager-North Central Region Direct: 425.538.0525 ext. 80525 v-gak...@microsoft.com <mailto:v-gak...@microsoft.com> What is the purpose of this alert? This alert is to provide you with an overview of the new security bulletin being released (out-of-band) on September 28, 2010. New Security Bulletin Overview Microsoft is releasing one new security bulletin (out-of-band) for newly discovered vulnerabilities: Bulletin ID: MS10-070 http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx Bulletin Title: Vulnerability in ASP.NET Could Allow Information Disclosure (2418042) Maximum Severity Rating: Important Vulnerability Impact: Information Disclosure Restart Requirement: May require a restart Affected Software: Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 Note: Affected software listed above is an abstract. Please see the "Affected Software" section of the bulletin at the link in the left column above for complete details. Executive Summary This security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability. This security update is rated Important for all supported editions of ASP.NET except Microsoft .NET Framework 1.0 Service Pack 3. The security update addresses the vulnerability by additionally signing all data that is encrypted by ASP.NET. This security update also addresses the vulnerability first described in Microsoft Security Advisory 2416728 <http://www.microsoft.com/technet/security/advisory/2416728.mspx> . Public Bulletin Webcast Microsoft will host a webcast to address customer questions on this bulletin: Title: Information about Microsoft's September 2010 (OOB) Security Bulletin Release (Level 200) Date: Tuesday, September 28, 2010, 1:00 P.M. Pacific Time (U.S. and Canada) URL: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032464130 <https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032464130> Public Resources Related to This Alert a.. Security Bulletin MS10-070 - Vulnerability in ASP.NET Could Allow Information Disclosure (2418042): http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx <http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx> a.. Security Advisory 2416728 - Vulnerability in ASP.NET Could Allow Information Disclosure: http://www.microsoft.com/technet/security/advisory/2416728.mspx <http://www.microsoft.com/technet/security/advisory/2416728.mspx> a.. Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/msrc/ <http://blogs.technet.com/msrc/> a.. Microsoft Security Research & Defense (SRD) Blog: http://blogs.technet.com/srd/ <http://blogs.technet.com/srd/> a.. Microsoft Malware Protection Center (MMPC) Blog: http://blogs.technet.com/mmpc/ <http://blogs.technet.com/mmpc/> New Security Bulletin Technical Details In the following tables of affected and non-affected software, software editions that are not listed are past their support lifecycle. To determine the support lifecycle for your product and edition, visit the Microsoft Support Lifecycle web site at http://support.microsoft.com/lifecycle/ <http://support.microsoft.com/lifecycle/> . Bulletin Identifier: Microsoft Security Bulletin MS10-070 Bulletin Title: Vulnerability in ASP.NET Could Allow Information Disclosure (2418042) Executive Summary: This security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system. In Microsoft .NET Framework 3.5 Service Pack 1 and above, this vulnerability can also be used by an attacker to retrieve the contents of any file within the ASP.NET application, including web.config. The security update addresses the vulnerability by additionally signing all data that is encrypted by ASP.NET. Severity Ratings and Affected Software: This security update is rated Important for all supported editions of ASP.NET except Microsoft .NET Framework 1.0 Service Pack 3. CVE: CVE-2010-3332 - ASP.NET Padding Oracle Vulnerability Attack Vectors: To exploit this vulnerability, an attacker would send cipher text via a Web request to an affected server to determine whether the text was decrypted properly by examining the error code returned by the website. An attacker who made enough of these requests could learn enough information to read or tamper with the encrypted data. Mitigating Factors: Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability. Workarounds: Enable a UrlScan or Request Filtering rule, enable ASP.NET custom errors, and map all error codes to the same error page. For specific steps, see the "Workaround" section of the bulletin at the link below. Restart Requirement: This update may require a restart. Bulletins Replaced by This Update: MS10-041 and MS09-036 on specific versions of Microsoft .NET Framework on specific operating systems. For specific details, see the "Affected Software" section of the bulletin at the link below. Disclosure Status and Exploit Status: This vulnerability was publicly disclosed prior to release. More information is contained in Microsoft Security Advisory 2416728 <http://www.microsoft.com/technet/security/advisory/2416728.mspx> . This vulnerability has been exploited in the wild at release. Full Details: http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx <http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx> Regarding Information Consistency We strive to provide you with accurate information in static (this mail) and dynamic (Web-based) content. Microsoft's security content posted to the Web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft's Web-based security content, the information in Microsoft's Web-based security content is authoritative. Thank you, Microsoft CSS Security Team
<<image.jpg>>
