ASP.NET Security Fix Now on Windows Update

Earlier this week I blogged about the availability of a patch on the Microsoft Download Center to fix the recent ASP.NET Security Vulnerability.

Today we also made it possible to update systems through Windows Update (WU) and Windows Server Update Services (WSUS).  This enables administrators to more easily streamline patch installs, and enables you to take advantage of the WU/WSUS infrastructure to detect which patches you should install based on what versions of .NET are on your system.

Please make sure to install these updates as soon as possible on your servers.  This will prevent attackers from using the vulnerability to attack your systems.

Using Windows Update

If you run Windows Update on your system you’ll see the security updates listed if you haven’t already installed them on your computer.  Note that you’ll see a separate update available for each version of .NET you have installed on your system:

image

Please make sure all of the “Security Update for Microsoft .NET Framework” updates are selected and then apply them to keep your system secure.

Useful Notes and Frequently Asked Questions

In my blog post earlier in the week I answered a few commonly asked questions about the security updates.  Below are a few additional notes based on help we’ve provided a few customers who have applied the update:

Do I Really Need to Apply this Update?

Yes. This update fixes security vulnerabilities that are publically known. You must install this update patch to be safe.

Make Sure You Apply the Update on All Servers in a Web-Farm

Because the patch modifies the encryption/signing behavior of certain features in ASP.NET, it is important that you apply it to all machines in a web-farm.  If you have a mix-match of patched/un-patched systems you’ll have forms-authentication, webresource.axd, and scriptresource.axd requests succeed/fail depending on which server they hit in the farm (since the encryption used would be different across them).

Persistent Forms Authentication Cookie Behavior

After you apply the security update, visitors who have a persistent forms authentication cookie (the “remember me” scenario on login) will no longer be logged into your site – and will need to login again.  The ASP.NET Forms Authentication system by default automatically handles this scenario for you – and will redirect visitors with a pre-patch forms-authentication cookie to the login page you’ve configured for your site.  No error page is displayed – the behavior the end-user sees is the same as if the cookie had timed out.  This is a good user experience and doesn’t require you to take any additional steps to ensure un-interrupted traffic to your site.

Note: We have had a few customers report problems with persistent forms-auth cookies that turned out to be issues either in their application code, or in a third party logging component they used.  Specifically, this application code attempted its own decryption of the forms authentication cookie and threw exceptions when the cookie did not decrypt successfully. If after applying the security update you see issues with people who have saved forms authentication cookies visiting your site you might also be encountering this.  There are two ways you can fix it: 1) update your code to not throw exceptions to end-users in these cases, or 2) modify the name of the forms-auth cookie that ASP.NET’s Forms Authentication system uses.  Approach #2 is easy and doesn’t require any code changes - just modify the <forms name=".ASPXAUTH"/> configuration section in your web.config file and switch to a different cookie name.  This will prevent your code from throwing exceptions because the old cookie failed to decrypt (instead the system will ignore the old cookie and issue all new cookies under the new cookie name you’ve configured).

Forms Authentication can continue to work across ASP.NET Versions

ASP.NET supports the scenario where you have multiple applications on a server, and share the same forms-authentication cookie ticket across all of them. It also supports the scenario where different applications on the site use different versions of ASP.NET.  For example, one part of the site might be built with ASP.NET 2.0, another part with ASP.NET 3.5 SP1, and another part ASP.NET 4. This continues to be supported with the security update. 

Note: If you are going to share the forms-authentication ticket across .NET 2 and .NET 3.5 SP1 or .NET 4.0 sites, then we recommend having .NET 2.0 SP2 installed to do so.

Make sure servers in a Web Farm use the same service pack of .NET 2 on all machines

We have seen an issue with a customer where they were running a site distributed across multiple servers in a web-farm, and some of the servers were running .NET 2.0 SP1 and others were running .NET 2.0 SP2.  The URLs for webresource.axd and scriptresource.axd end up being different across the two Service Pack flavors when the security patch is applied – which can cause problems if your web-farm doesn’t consistently use the same service pack.  You should make sure that the same service-pack of .NET 2.0 is installed across all the machines in a web-farm if they are running the same application across all of them. 

How to Get Help If You Need It

You can ask questions and get help with the security vulnerability and update in a special ASP.NET Forum that we have setup here

You can also contact Microsoft Customer Support for help with problems or questions (including support over the phone with a technical support engineer who can help you debug problems). 

Thanks,

Scott

Published Thursday, September 30, 2010 11:30 PM by ScottGu

Comments

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 1, 2010 2:43 AM by imran_ku07

Good to see your team's current hard work.

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 1, 2010 2:52 AM by Thebitstreamer

Thanks GU... I hope we dont need more of that...

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 1, 2010 3:40 AM by Alexander Nyquist

Thanks for your effort on this very issue. You and you're team are doing a great job.

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 1, 2010 3:51 AM by barlog daisuke

m(_ _)m

great works ASP.NET Team!

thanks ScottGu :)

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 1, 2010 3:56 AM by frobnitzz

Excellent news - Thanks :D

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 1, 2010 4:21 AM by yeurch

Thanks for the heads up. Installed the update for 3.5.1, but there was no update found for .NET 4, which I definitely have installed! Strange.

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 1, 2010 4:30 AM by Thomas Hjorth

If you're updating and the only thing you're installing is this particular fix, will it require a server restart?

Thx

Thomas

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 1, 2010 4:38 AM by Keith

Good work. Once the patch is installed I presume we can go back to using our previous error page(s)?

Thanks,

Keith

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 1, 2010 4:53 AM by Rudi Grobler

Do you have any idea when the next azure guest os with this update will be released?

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 1, 2010 5:03 AM by Sivakrishna

Hi Scott,

ur r true inspiration for me...

I had checked updates for my windows server 2008 system, but couldn't see “Security Update for Microsoft .NET Framework”.. pls help me out

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 1, 2010 5:43 AM by Remmus

Since patching I've had problems with the Html.AntiForgeryToken() causing errors for users that had remained logged in.

I've solved it by catching the errors in the global.asax and making the validation cookie (__RequestVerificationToken_Lw__) expire then redirecting the user back. Just incase anyone else comes across the issue.

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 1, 2010 6:11 AM by Jaans

Great news... actaully received them via WSUS before I got this post!

Unfortunately the update is not without problems. Some (not all) Windows Server 2008 R2, Server 2003 and Windows 7 installations had the update installation fail.

After much frustration, eventually even downloading the update from the KB and manually installing it, I could only then see in the log that the verifier failed the update because it was not "trusted". Unfortunately the Windows Update error is far more vague (only giving Error 800B010B) and simply fails the installation.

I would appear that there is a root certificate update that is required to be installed before this update. These had for some reason not reached the servers in question.

A workaround is to install and trust the certificate that comes with the update.

1) Navigate to the update packackage in Explorer and

2) right-click "Properties"

3) Go to the "Digital Signatures" tab and click through to "view" the certificate

4) "Install Certificate" following the default prompts.

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 1, 2010 6:23 AM by sukumarraju

These updates requires server reboot. Is there any work around to avoid this?

Thanks,

Raju

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 1, 2010 12:24 PM by Michael Scrivo

We started getting the following error after patching and rebooting:

Unable to validate data

at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType, Boolean useValidationSymAlgo, Boolean signData)

  at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType, Boolean useValidationSymAlgo)

  at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType)

  at System.Web.Security.FormsAuthentication.Decrypt(String encryptedTicket)

any idea what's causing it?

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 1, 2010 3:00 PM by pitz

Aside from the Persistent Forms Authentication Cookie Behavior described in the post, any encrypted data (encrypted using MachineKeySection.EncryptOrDecryptData())that has been persistently stored before the patch will fail to decrypt after the installation of the patches.

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 1, 2010 4:20 PM by Ryan Wagner

@Michael Scrivo - We had contacted Scott about this same issue, and the solution they came up with for us is in the persistent forms authentication cookie section above.

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 1, 2010 5:01 PM by Philip

[I am an end-user, not a Microsoft employee, so this is NOT "official".]

This may be helpful to determine the specific .NET version numbers installed on the web server. This code can be run in an ASP.NET page, and can be used on hosted or shared servers where you can't directly access the file system to check file versions.

This code reads registry keys (that are accessible to ASP.NET code) and reads the FileVersion information of selected .NET files (again, this information is readable by code in as ASP.NET page) where the file location is determined by the specific registry key.

// ***********

// Call the following method as follows for each of .NET 2.0, 3.5, and 4.0

// Write out the values to your ASP.NET page, for example to an asp:label.

//[...] GetDotNetVersion(".NET 2.0(.50727.0)", @"SOFTWARE\Microsoft\ASP.NET\2.0.50727.0", "Path", "System.Web.dll");

//[...] GetDotNetVersion(".NET 3.5", @"SOFTWARE\Microsoft\.NETFramework\AssemblyFolders\v3.5", "All Assemblies In", "System.Web.Extensions.dll");

//[...] GetDotNetVersion(".NET 4.0", @"SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full", "InstallPath", "System.Web.Extensions.dll");

   string GetDotNetVersion(string DotNetVersion, string RegistryKey, string RegistryValue, string DotNetFile)

   {

       string regpath;

       try

       {

           using (Microsoft.Win32.RegistryKey regKey = Microsoft.Win32.Registry.LocalMachine.OpenSubKey(RegistryKey))

           {

               regpath = regKey.GetValue(RegistryValue).ToString();

           }

           System.Diagnostics.FileVersionInfo DotNetFileVersionInfo = System.Diagnostics.FileVersionInfo.GetVersionInfo(regpath + @"\" + DotNetFile);

           return DotNetVersion + " - File: " + DotNetFile + " - Version: " + DotNetFileVersionInfo.FileVersion;

       }

       catch { return DotNetVersion + ": N/A"; }

   }

// ***********

I couldn't find a DLL to check for .NET 3.0 (and I don't have a server that has 3.0, but not 3.5, installed.

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 1, 2010 5:03 PM by ScottGu

@yeurch

>>>>>>> Installed the update for 3.5.1, but there was no update found for .NET 4, which I definitely have installed! Strange.

Can you confirm whether ASP.NET is installed on the machine? Do you have VS 2010 on the box?

.NET 4 has both a "client profile" and a "full install" option.  The client profile doesn't have ASP.NET included - and you won't be prompted to install the patch unless you have the full install.

If you think you have the full install (and haven't installed the patch) send me email (scottgu@microsoft.com) and we can help investigate.

Thanks,

Scott

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 1, 2010 5:05 PM by ScottGu

@thomas,

>>>>>>> If you're updating and the only thing you're installing is this particular fix, will it require a server restart?

It is hard to say - it usually depends on what files are being used at the time the patch is applied.  To be safe I'd assume a reboot might be necessary.

Hope this helps,

Scott

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 1, 2010 5:05 PM by ScottGu

@Keith,

>>>>>>>> Good work. Once the patch is installed I presume we can go back to using our previous error page(s)?

Yes - once the patch is installed you can go back to using the same error page approach you had before the security issue appeared.

Hope this helps,

Scott

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 1, 2010 5:33 PM by ScottGu

@Sivakrishna

>>>>>>> I had checked updates for my windows server 2008 system, but couldn't see “Security Update for Microsoft .NET Framework”.. pls help me out

If you can send me email (scottgu@microsoft.com) I can connect you with someone to help.

Thanks,

Scott

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 1, 2010 5:34 PM by ScottGu

@Raju,

>>>>>>>>> These updates requires server reboot. Is there any work around to avoid this?

The reboot depends on what files are in use at the time the patch is installed.  Just to be safe I'd assume you might need to do the reboot.

Hope this helps,

Scott

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 1, 2010 5:35 PM by ScottGu

@Michael,

>>>>>>>>Unable to validate data

Can you send me email (scottgu@microsoft.com) with more details?  I can then connect you with someone who can help.

Thanks,

Scott

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 1, 2010 7:26 PM by RGoddard

Any advice for those of us who still have a few Windows 2000 servers running .NET?  Obviously there are no patches released by Microsoft.  Should we attempt the workarounds?

# re: ASP.NET Security Fix Now on Windows Update

Saturday, October 2, 2010 9:31 AM by Matt

Hi Scott,

We have problems with our Exchange server after this update in that several Exchange services failed to start after the updates were applied. Our environment is: Windows 2008 server + Exchange 2008. Digging deeper we found that after the update, the issues could be traced to the machine.config file and a missing element:

system.servicemodel

once we put this element in the machine.config it would work fine except for Message tracking.

Do you know of any other reports about exchange playing up after the windows update?

# re: ASP.NET Security Fix Now on Windows Update

Monday, October 4, 2010 8:52 AM by MIke

We had no problem installing all the patches to .Net 1.1 through 4.0 on Windows Server 2003 x64 R2 but for Windows Server 2008 x64 R2 with .Net 1.1-4.0 installed the only patches for 3.5.1 and 4.0 are available via Windows Upadte or WSUS. Why? Is it sufficient for Win 2008?

# re: ASP.NET Security Fix Now on Windows Update

Monday, October 4, 2010 9:34 AM by Matt Brown

Just an FYI to those using CommunityServer 8.5 with the single sign-on module, I installed the patches and had to restart the server - worked like a charm afterwards - nothing else needed to do.

# re: ASP.NET Security Fix Now on Windows Update

Monday, October 4, 2010 6:28 PM by Jeremy Gill

Just wanted to note that the patch appears to be overwriting any custom bindings to the net.tcp port settings (resets them to 8080*).  Caught us by surprise but was a simple enough fix once we figured out it was doing that.

# re: ASP.NET Security Fix Now on Windows Update

Monday, October 4, 2010 7:12 PM by damon

We applied the patches this am to our MS Server 2008 SP2 (R1) with Exchange 2007 running as well as BES Server, CA Open file agent, Avira Exchange Antivirus and the MMC broke.

 Errors, .Net issues, no mail flowing, was a mess.  

Slowly undid updates back to pre-update, errors in the event logs went away, exchange still broken....no flow of mail in/out. Crossed our fingers, Reapplied patches and broke MMC again... Un-installed all .Net 3.5 updates and 3.5, re-installed 3.5 from scratch, everything started working. Don't like to blame anyone, but all in all , a wasted day, and it'll be hard to want to re-apply the patches from last week again...soon,... have to do some more investigation.        

# re: ASP.NET Security Fix Now on Windows Update

Monday, October 4, 2010 10:57 PM by Tarik Guney

Thanks for quick patch. I hope hosting providers apply this patch as soon as possible.

# re: ASP.NET Security Fix Now on Windows Update

Tuesday, October 5, 2010 6:43 AM by John

Scott,

we patched over the weekend and since then we have been getting lots of the following errors:

System.Web.HttpException: This is an invalid webresource request.

  at System.Web.Handlers.AssemblyResourceLoader.System.Web.IHttpHandler.ProcessRequest(HttpContext context)

  at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

  at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

I have been browsing forums over the last days and have not found anything similar so it might be something specific to our setup. Any ideas?

Thanks,

John

# re: ASP.NET Security Fix Now on Windows Update

Tuesday, October 5, 2010 9:13 AM by Jason Baginski

Concerning the code Philip posted.  What versions _should_ we have?  I have three Server 2003 boxes, two of them R2.  One R2 and the regular 2003 both showed the same version numbers for all three.  The other R2 showed a higher version number for 2.0.  

One of the R2 boxes has no windows updates to install(its the one that matches up with the version numbers of the non R2 box).  The other two have the utter nightmare windows .NET framework problem where patches get installed but keep wanting to be reinstalled.  Easy to find, the "fix" is to set them to be ignored.  The "other fix" is to uninstall all the frameworks and resinstall one at a time..which I tried one very-very-very long saturday on the regular 2003 box, just to get back to the same error.  I grew very tired of fighting a loosing battle much like other admins in all the message boards I found with people in similar circumstances.

Now I'm looking on my Windows 7 machine and have a completely different version for 2.0 than the other two versions listed.

# re: ASP.NET Security Fix Now on Windows Update

Tuesday, October 5, 2010 11:07 AM by Markuz

Scott,

Since we've patched our webservers, we are receiving bunch of errors. Do you know what's going on, or where I can contact Microsoft to report this bug?

See forums.asp.net/.../4112208.aspx for more details.

Markuz

# re: ASP.NET Security Fix Now on Windows Update

Tuesday, October 5, 2010 11:19 AM by ScottGu

@RGoddard,

>>>>>>> Any advice for those of us who still have a few Windows 2000 servers running .NET?  Obviously there are no patches released by Microsoft.  Should we attempt the workarounds?

Can you send me email (scottgu@microsoft.com) and I can connect you with some folks.  Unfortunately Win2000 is no longer in service so we don't have a specific patch you can install - but we can walk you through some options.

Thanks,

Scott

# re: ASP.NET Security Fix Now on Windows Update

Tuesday, October 5, 2010 11:20 AM by ScottGu

@Matt,

>>>>>>>> nce we put this element in the machine.config it would work fine except for Message tracking. Do you know of any other reports about exchange playing up after the windows update?

I haven't heard of issues like this before.  We don't modify the configuration files as part of the patch - so it shouldn't have had an issue.  Could you have accidentally modified the config file as part of the workaround we posted?

Thanks,

Scott

# re: ASP.NET Security Fix Now on Windows Update

Tuesday, October 5, 2010 11:21 AM by ScottGu

@Mike,

>>>>>>>> We had no problem installing all the patches to .Net 1.1 through 4.0 on Windows Server 2003 x64 R2 but for Windows Server 2008 x64 R2 with .Net 1.1-4.0 installed the only patches for 3.5.1 and 4.0 are available via Windows Upadte or WSUS. Why? Is it sufficient for Win 2008?

Can you send me email (scottgu@microsoft.com)?  I can then help you with this.

thanks,

Scott

# re: ASP.NET Security Fix Now on Windows Update

Tuesday, October 5, 2010 11:21 AM by ScottGu

@damon,

>>>>>>>> Slowly undid updates back to pre-update, errors in the event logs went away, exchange still broken....no flow of mail in/out. Crossed our fingers, Reapplied patches and broke MMC again... Un-installed all .Net 3.5 updates and 3.5, re-installed 3.5 from scratch, everything started working. Don't like to blame anyone, but all in all , a wasted day, and it'll be hard to want to re-apply the patches from last week again...soon,... have to do some more investigation.    

I'm really sorry you ran into an issue.  Can you send me email (scottgu@microsoft.com) about this and I can connect you with folks who can help.

Thanks,

Scott

# re: ASP.NET Security Fix Now on Windows Update

Tuesday, October 5, 2010 11:24 AM by ScottGu

@John,

>>>>>>> we patched over the weekend and since then we have been getting lots of the following errors:  System.Web.HttpException: This is an invalid webresource request.

That is probably to be expected.  It is likely search engine traffic that was accessing your webresource.axd and scriptresource.axd handlers before failing when they try to request old cached versions.  You will see this for awhile until they switch to the new URLs.  If you check your logs my guess is that most of the requests are coming from the same IP address (which is either Google or Bing).

Note that the content coming from these resource handlers isn't really indexable - so it shouldn't impact your SEO driven traffic (since they weren't really user links to begin with).  

Let me know if you have more questions of concerns about this (scottgu@microsoft.com).

Thanks,

Scott

# re: ASP.NET Security Fix Now on Windows Update

Tuesday, October 5, 2010 11:25 AM by ScottGu

@Jason,

>>>>>>>> Concerning the code Philip posted.  What versions _should_ we have?  I have three Server 2003 boxes, two of them R2.  One R2 and the regular 2003 both showed the same version numbers for all three.  The other R2 showed a higher version number for 2.0.  

If you can send me email (scottgu@microsoft.com) I can have someone help.

Thanks,

Scott

# re: ASP.NET Security Fix Now on Windows Update

Tuesday, October 5, 2010 11:27 AM by ScottGu

@Michael,

>>>>>>> For Windows 7 / Windows Server 2008 R2 the only affected software is .Net 3.5.1 and 4.0 (see screenshot at the top of this page as well as www.microsoft.com/.../ms10-070.mspx) thus only these patches are available in Windows Update.

.NET 3.5.1 includes .NET 2 - so you shouldn't need to install a separate patch for that.  If you have .NET 1.1 on the machine then you will want to download the .NET 1.1 patch.

Let me know if you have more questions (scottgu@microsoft.com) and we can help.

Thanks,

Scott

# re: ASP.NET Security Fix Now on Windows Update

Tuesday, October 5, 2010 11:28 AM by ScottGu

@markuz,

>>>>>>> Since we've patched our webservers, we are receiving bunch of errors. Do you know what's going on, or where I can contact Microsoft to report this bug?

My guess is that those are browsers that have cached pages in their client-cache and are re-validating the scriptresource/webresource content.  You'll see this for a short period - after which your users client side caches will be up to date.  If you are still seeing this for awhile send me email (scottgu@microsoft.com) and we can help.

Thanks,

Scott

# re: ASP.NET Security Fix Now on Windows Update

Tuesday, October 5, 2010 3:52 PM by Rod Mac

I've installed patch NDP40-KB2416472-x86.exe onto a 32 bit Win Server 2003 with .NET 4.0 and running ASP.NET 3.5 SP1. The website is erroring in some but not all cases - my dev machine is fine and I can't repro it. Unfortunately work patterns mean I can't be around to turn off customerrors mode when the customer is around so I was going to remove the patch and re-apply the workaround. However, to make matters worse, it's the patch is not appearing in the add/remove programs dialog. The logs show:

Exception information:

   Exception type: HttpException

   Exception message: Unable to validate data.

  at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, Boolean useValidationSymAlgo, Boolean useLegacyMode, IVType ivType, Boolean signData)

  at System.Web.Security.FormsAuthentication.Decrypt(String encryptedTicket)

  at MyCompany.Data.GetIDFromCookie()

Thanks,

Rod

# re: ASP.NET Security Fix Now on Windows Update

Tuesday, October 5, 2010 4:49 PM by Philip

Using the ASP.NET code I posted above [October 01, 2010 5:01 PM], the following are the version numbers that I see on four different fully-updated systems. These systems previously had all Windows Updates and service packs (if any) installed, and now have the ASP.NET security fix available from Windows Update installed.

64-bit Windows Server 2008 R2 (this server never had .NET 3.5 installed, only .NET 4.0):

.NET 2.0(.50727.0) - File: System.Web.dll - Version: 2.0.50727.4955 (win7RTMGDR.050727-4900)

.NET 3.5: N/A

.NET 4.0 - File: System.Web.Extensions.dll - Version: 4.0.30319.206

64-bit AND 32-bit (2 different systems) Windows Server 2003 R2 SP2:

.NET 2.0(.50727.0) - File: System.Web.dll - Version: 2.0.50727.3618 (GDR.050727-3600)

.NET 3.5 - File: System.Web.Extensions.dll - Version: 3.5.30729.3644

.NET 4.0 - File: System.Web.Extensions.dll - Version: 4.0.30319.206

64-bit Windows 7:

.NET 2.0(.50727.0) - File: System.Web.dll - Version: 2.0.50727.4955 (win7RTMGDR.050727-4900)

.NET 3.5 - File: System.Web.Extensions.dll - Version: 3.5.30729.4953

.NET 4.0 - File: System.Web.Extensions.dll - Version: 4.0.30319.206

Note: In each machine above, I believe IIS is running in 32-bit mode.

# re: ASP.NET Security Fix Now on Windows Update

Wednesday, October 6, 2010 11:13 AM by Trey

I have a question regarding the recent ASP.NET vulnerability. It is possible to be exploited If an unpatached system has ASP.NET installed, but the service is not running?

# re: ASP.NET Security Fix Now on Windows Update

Wednesday, October 6, 2010 1:09 PM by Philip

To John Dyer - regarding your comment above about configuring legacy encryption mode. Doesn't this force ASP.NET to use the old-style encryption that is vulnerable to the attack that this security fix is intended to protect against?

If you're sharing a forms authentication cookie across subdomains, I think you need to ensure that the exact same keys and syntax are used for the machineKey section in the web.config for each subdomain (and also that the encryption mechanism defined in the machineKey is compatible with the oldest version of .NET used in the subdomains).

Why can't you use the same .NET version in each of the subdomains?

# re: ASP.NET Security Fix Now on Windows Update

Wednesday, October 6, 2010 1:51 PM by John Doe

I was wondering how this particular patch is going to address the Padding Oracle Atack?

# re: ASP.NET Security Fix Now on Windows Update

Wednesday, October 6, 2010 8:17 PM by Clinton

We're having the same issues with 'Unable to Validate' - it's sporadic as it only affects users with encrypted cookies. We even rolled back the hotfix and it didnt seem to work! Yikes. Has the rollback worked for anyone else?

# re: ASP.NET Security Fix Now on Windows Update

Sunday, October 10, 2010 12:12 PM by Chad

Careful with this update if you are using forms authentication with .net 1.1 and 4.0 sharing the cookie. I talked with Microsoft support and there is a private patch that you need to make this work. Apparently the out of the box patch (listed here) is broken with 1.1 and 4.0 encrypting/decrypting the cookie. Hopefully a new patch will be made available asap.  

# re: ASP.NET Security Fix Now on Windows Update

Monday, October 11, 2010 4:20 AM by Sebastian Claesson

We where having the same issues with 'Unable to Validate' on all our resource-files. We removed the file-compression module we where using (Miron.web) and that fixed it.

# re: ASP.NET Security Fix Now on Windows Update

Monday, October 11, 2010 9:58 AM by Charles Windhausen

The .NET 3.51 KB2416471 update fails over and over with the infamous 0x80070002 error (file not found). This on a Windows 7 x64 with all my development software on it. KB979916 and KB983590 also fail for a total of three failures that show up every day in the Windows Update history list. Any logs I might look at to figure this out?

# re: ASP.NET Security Fix Now on Windows Update

Monday, October 11, 2010 1:58 PM by ScottGu

@Charles, @Sebastian

Can you send me email (scottgu@microsoft.com) with details of the issue?  I can then loop you in with someone who can help.

Thanks,

Scott

# re: ASP.NET Security Fix Now on Windows Update

Monday, October 11, 2010 1:59 PM by ScottGu

To Everyone

Please send me email (scottgu@microsoft.com) if you have problems or questions installing the patch.  We can then help address any issues you encounter.

Thanks,

Scott

# re: ASP.NET Security Fix Now on Windows Update

Wednesday, October 13, 2010 8:22 AM by Richard

@Chad

I'm having trouble with sharing cookie .net 1.1 and 2.0, might this be related to the problem with the out of the box patch you mention for .net 1.1 and 4.0?  How if so, how do I go about acquiring the additional patch?

Any help would be greatly appreciated.

Cheers

Richard

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 15, 2010 12:41 AM by renzaixn

I know, thanks.

# re: ASP.NET Security Fix Now on Windows Update

Thursday, October 21, 2010 12:00 PM by Brad

Scott -

FYI We found that installing the patches broke shareing Forms authentication across .Net 2.0 and 1.1.  After removing the patches sharing authentication works again.  Seems to be all three of the pathes combined.

               2416451 - .net 1.1 security patch

               980773 - .net 2.0 SP 2

               2418241 - .net 2.0 SP 2 and .net 3.5 SP 1 security patch

On server 2003 sp3.  No persistent cookie.

# re: ASP.NET Security Fix Now on Windows Update

Friday, October 22, 2010 10:14 AM by Doug

I uninstalled KB980773 and KB2418241 after this patch broke the authentication sharing between a 1.1(makes the cookie) and 2.0 app (reads the cookie), but the authentication is still broken. Any idea why rolling back the patches isn't fixing our issue?

Also, I can't find KB2416451 on the machine so I don't think that is an issue. Any input would be appreciated.

# re: ASP.NET Security Fix Now on Windows Update

Saturday, October 23, 2010 6:42 AM by Rod Mac

Is there any way of checking that the patch has been applied to a shared server space in case an ISP hasn't done the necessary?

TIA.

# re: ASP.NET Security Fix Now on Windows Update

Monday, October 25, 2010 2:14 AM by ScottGu

@Brad and @Doug,

Can you guys send me email (scottgu@microsoft.com) and I can connect you with someone who can help.

Thanks,

Scott

# re: ASP.NET Security Fix Now on Windows Update

Tuesday, October 26, 2010 6:28 AM by RockMonster

@Brad and @Doug

Did you have any luck in resolving your issue with sharing authentication between .net 1.1 and .net 2.0 applications?  I've emailed Scott directly, but he's unavailable at the moment and won't be checking his emails, so was looking to progress in the mean time.

Any help would be gratefully appreciated.

Thanks

Richard

# re: ASP.NET Security Fix Now on Windows Update

Wednesday, October 27, 2010 5:51 AM by IainJ

@Richard - we have the same issue as you (shared authentication between 1.1 and 2.0 apps is broken), but I have had MS Support confirm to me they are working on a hotfix for this. Hopefully it won't be long, but luckily its not too serious for us since our 1.1 app is Reporting Services 2000 (so not critical to have to log in again to view reports)

Cheers, Iain.

# re: ASP.NET Security Fix Now on Windows Update

Thursday, November 11, 2010 6:50 PM by Brian

Thanks for posting this. Just had an issue where we added an extra node to our web farm and it had all the latest updates and than the other nodes which were installed over a year ago. Was difficult to find out what was causing this but finally found this blog and lead me right to the problem thanks.

# re: ASP.NET Security Fix Now on Windows Update

Thursday, November 18, 2010 3:33 AM by xxxmatko

Thanks for posting this.