ASP.NET Security Update Shipping Tuesday, Sept 28th

Update: You can now download the security update here.

An hour ago Microsoft released an advance notification security bulletin announcing that we are releasing an out-of-band security update to address the ASP.NET Security Vulnerability that I’ve blogged about this past week.  The security update is fully tested, and is scheduled for release tomorrow - Tuesday September 28th – at approximately 10:00 AM PDT.  The advance notice bulletin is intended to ensure administrators know it is coming, and are better prepared to apply it once the update is available.

We’ll release the update tomorrow via the Microsoft Download Center (I’ll blog links to the individual downloads for each version of .NET).  We will then release the update via Windows Update and the Windows Server Update Service in a few days as we complete final distribution testing via these channels.

Applying the update addresses the ASP.NET Security vulnerability, and once the update is applied to your system the workarounds we have previously blogged about will no longer be required.  Until you have installed the update, though, please do make sure to continue using the workarounds.

You can learn more about tomorrow’s security update release from this Microsoft Security Response Center Blog Post as well as the official Advance Notification Bulletin.  We will also hold a special webcast for the bulletin release on Tuesday, September 28, 2010 at 1:00 PM PDT, where we will present information on the bulletin and take customer questions. If you are interested in attending the webcast, click here to sign up.

Thanks,

Scott

Published Monday, September 27, 2010 3:02 PM by ScottGu

Comments

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Monday, September 27, 2010 6:11 PM by Jeff

Any word on if this update will break anything? Require people to change their IIS configuration, etc? Or will this update allow things to work the same as before?

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Monday, September 27, 2010 6:13 PM by Damir Tomicic

Thanks Scott, this is great news and really appreciated!

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Monday, September 27, 2010 6:16 PM by Martin Brown

Thank you for the hard work in getting this fixed so quickly.  Will the patch require a server restart / IIS reset etc? What sort of outage should we expect on our servers when the fix is applied?

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Monday, September 27, 2010 6:18 PM by Will Strohl

Will the webinar be recorded? I have a meeting at that time. :(

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Monday, September 27, 2010 6:24 PM by ScottGu

@Jeff,

>>>>>>>>> Any word on if this update will break anything? Require people to change their IIS configuration, etc? Or will this update allow things to work the same as before?

The patch does not require any IIS or ASP.NET code or configuration changes.  It will allow things to update as they were before.

Hope this helps,

Scott

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Monday, September 27, 2010 6:27 PM by Saurav

Great news!!! will save lots of effort :)

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Monday, September 27, 2010 6:35 PM by Paul Litwin

Can this be applied on a live server? Any idea how long it would bring down any running apps?

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Monday, September 27, 2010 7:02 PM by Kevin McMillen

Thanks for the notice Scott and for the great turnaround time on a release like that.  We appreciated the heads up so quickly when it came out via Twitter...

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Monday, September 27, 2010 7:04 PM by ryantech

Thanks for the quick heads up via twitter on Saturday last week and for this notice.  Mucho Gracias Gu

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Monday, September 27, 2010 7:06 PM by Chris Harden

Hi Scott,

Great news on getting a patch out so fast, does this just fix the oracle, or does it fix ScriptResource.axd's abuse of virtualpathprovider too?

I know in theory once the oracle is closed scriptresource is 'fixed' but still, there should be better checks around that.

Thanks,

Chris.

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Monday, September 27, 2010 7:37 PM by eglasius

I second @Chris on that. If ScriptResource.axd must use the file system then it should have additional validations (not believing blindly input hasn't been tampering) / decrypt alone isn't meant to provide that.

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Monday, September 27, 2010 9:05 PM by Ismael

Nice news :), I was waiting for it :) :)

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Monday, September 27, 2010 9:11 PM by Zpektrum

Great Job! Thanks a lot for the quick and fast update release.

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Monday, September 27, 2010 9:24 PM by Prajapati KV

Thanks Sir. This is great news.

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Monday, September 27, 2010 9:44 PM by scarf

well done,thanks a lot

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Monday, September 27, 2010 9:50 PM by James Clarke

Hey Scott.. when will it hit Windows Azure?

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Monday, September 27, 2010 9:56 PM by Simon Holman

Thanks Scott, great to see you guys acting on this so quickly.

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Tuesday, September 28, 2010 12:25 AM by David Phan

Hi Scott,

That's great news! Can we back out the security update if there is a problem after it is applied? What exactly does it do?

David

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Tuesday, September 28, 2010 12:36 AM by JAs

Great job by Scott and his team in releasing the patch in shortest time possible.

Jas

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Tuesday, September 28, 2010 2:20 AM by marcus lenngren

I have been following your blog for a while now and I think you are doing a great job. But I think I will need to follow you on Twitter as well from now on  :)

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Tuesday, September 28, 2010 2:46 AM by Petter

Where can we find a _detailed_ information about what this fix do?

We have custom error handling, a lot of crypto code and we also use ScriptManager in our app. We need to know the details in order to prepare for the rollout.

Being vague during this whole issue made our task harder.

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Tuesday, September 28, 2010 2:54 AM by avrail

thanks for this info

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Tuesday, September 28, 2010 8:28 AM by sukumarraju

Relaxed and assuring myself that I am in safe hands now. Thank you!

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Tuesday, September 28, 2010 12:29 PM by Ragesh Krishna

10 days from first announcement to final fix. Thank you, I love you guys. :)

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Tuesday, September 28, 2010 1:08 PM by Shanti

Has it been released folks?  The download Center isn't showing it.  I have been biting may nails here :-)

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Tuesday, September 28, 2010 1:24 PM by Pazu

Great. Microsoft - this counts. Maybe a time to look for other possible holes, that do not look exploitable now - but who knows... AXD looked safe :-)

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Tuesday, September 28, 2010 1:35 PM by FelixMa

Will we need to undo the workarounds that were applied last week?

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Tuesday, September 28, 2010 2:21 PM by Flug London

thanks for this information and post, nice!

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Tuesday, September 28, 2010 3:30 PM by Rovastar

It is here:

www.microsoft.com/.../ms10-070.mspx

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Tuesday, September 28, 2010 3:43 PM by Jeronimo Colon

The patch is out but we're getting "KB2416472 does not apply, or is blocked by another condition on your computer." when we try to install it.  Any ideas why?

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Tuesday, September 28, 2010 3:48 PM by Eric

@Rovastar - looks like we have to install an update for each version of .NET that we have running on the server...

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Tuesday, September 28, 2010 6:41 PM by Ray

Hi There,

I'm planning to deploy this patch on our servers today. We noticed we have some pending MS Updates including .NET updates we have not applied to our servers

QUESTION: Should we install this new ASP.NET patch before the other pending .NET updates or after?

Thanks in advance!

R

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Wednesday, September 29, 2010 9:05 AM by 80's Rocker

1) How can you tell if the above patch has been applied.

2) If you have any other previously released patches that have not been applied, do you need to apply those also?  

3) What if you do not apply the previous patches and then decide to install them later, would you have to reinstall this patch.

# re: ASP.NET Security Update Shipping Tuesday, Sept 28th

Thursday, September 30, 2010 3:36 PM by Nik

After installing the patch, I was quite freaked out to find requests to my site failing  - 500s.  But only in one browser.  To sum up: If you have an MVC site, and are using Html.AntiForgeryToken() - any existing browser sessions will need to be closed and reopened so that the session cookie that was generated before the patch was applied, for that antiforgery token, can be killed.   Your existing users may need to be informed of this - I can't see anyway to change the name of that cookie.