ASP.NET Security Update Now Available

This morning Microsoft released a security update that addresses the ASP.NET Security Vulnerability that I’ve blogged about this past week.  We recommend installing it as soon as possible on your web-servers.

Common Questions/Answers

Below are some answers to a few common questions people have asked:

Do the updates require me to change any code?

No. The update should not require any code or configuration change to your existing ASP.NET applications.

Will I still need to use the workarounds after I install the update?

No. The update removes the need to use the security workarounds we’ve published this past week.  Those were temporary steps that could be taken to protect yourself before the update was released.  After you’ve installed the update you no longer need to use them. 

What is the impact of applying the update to a live web-server?

If you apply the update to a live web-server, there will be some period of time when the web-server will be offline (although an OS reboot should not be required). You’ll want to schedule and coordinate your updates appropriately.

Importantly – if your site or application is running across multiple web-servers in a web-farm, you’ll want to make sure the update is applied to all of the machines (and not just some of them). This is because the update changes the encryption/signing behavior of certain features in ASP.NET, and a mix of patched and un-patched servers will cause that encryption/signing behavior to be incompatible between them.  If you are using a web-farm topology, you might want to look at pulling half of the machines out of rotation, update them, and then swap the active and inactive machines (so that the updated machines are in rotation, and the non-updated ones are pulled from rotation and patched next) to avoid these mismatches.

Does this update work with SharePoint?

Yes.  We have not found any issues in testing SharePoint with this security update.  You should install it on SharePoint servers to ensure that they are not vulnerable.

Can I both install and uninstall the update?

Yes. The updates support install and uninstall scenarios.  Note that if you uninstall the update, though, it will leave your system unprotected.

Downloading the Updates

We are releasing the security update today via the Microsoft Download Center.  We will also release the update via Windows Update and the Windows Server Update Service in a few days as we complete final distribution testing via these channels. Once the update is on Windows Update, you can simply run Windows Update on your computer/server and Windows Update will automatically choose the right update to download/apply based on what you have installed.

Update: You can now use Windows Update and Windows Server Update Services (WSUS) to install the patches.  You can learn more about this here.

If you download the updates directly from the Microsoft Download Center, then you need to manually select and download the appropriate updates.  Below is a table of all of the different update packages available via the Microsoft Download Center today. The downloads are split up by Windows Operating System (and corresponding service pack and processor architecture).  Each operating system version bucket below includes a listing of all available versions of .NET that are supported on it, and includes KB and download links to the appropriate security updates. 

Find your operating system within the below chart, then check to see which versions of .NET you have installed on it (details on how to determine which version of the .NET Framework is installed can be found here).  Download and apply the update packages for each version of .NET that you are using on that server.

Windows Server 2008 R2 and Windows 7

 

.NET Framework Version

KB Article

Patch

.NET Framework 3.5.1 (Default install)

KB2416471

Download

.NET Framework 4

KB2416472

Download

 

Windows Server 2008 SP2, Windows Vista SP2

 

.NET Framework Version

KB Article

Patch

.NET Framework 2.0 SP2 (default install)

KB2416470

Download

.NET Framework 4

KB2416472

Download

.NET Framework 3.5 SP1

KB2416470, KB2416473

Download, Download*

.NET Framework 3.5

KB2416470, KB2418240

Download, Download*

.NET Framework 1.1 SP1

KB2416447

Download

*When multiple patch downloads are listed above against a .NET version (for example with .NET 3.5 SP1 and .NET 3.5 installs) then all patches should be installed (order is not relevant).

Windows Server 2008, Windows Vista SP1

 

.NET Framework Version

KB Article

Patch

.NET Framework 2.0 SP1 (default install)

KB2416469

Download

.NET Framework 4

KB2416472

Download

.NET Framework 3.5 SP1

KB2416474, KB2416473

Download, Download*

.NET Framework 2.0 SP2

KB2416474

Download

.NET Framework 3.5

KB2416469, KB2418240

Download, Download*

.NET Framework 1.1 SP1

KB2416447

Download

*When multiple patch downloads are listed above against a .NET version (for example with .NET 3.5 SP1 and .NET 3.5 installs) then all patches should be installed (order is not relevant).

Windows Server 2003 SP2 32-bit

 

.NET Framework Version

KB Article

Patch

.NET Framework 1.1 SP1 (default install)

KB2416451

Download

.NET Framework 4

KB2416472

Download

.NET Framework 3.5 SP1

KB2418241, KB2416473

Download, Download*

.NET Framework 2.0 SP2

KB2418241

Download

.NET Framework 3.5

KB2416468, KB2418240

Download, Download*

*When multiple patch downloads are listed above against a .NET version (for example with .NET 3.5 SP1 and .NET 3.5 installs) then all patches should be installed (order is not relevant).

Windows Server 2003 64-bit

 

.NET Framework Version/SP

KB Article

Patch

Default OS Configuration

NA

NA

.NET Framework 4

KB2416472

Download

.NET Framework 3.5 SP1

KB2418241, KB2416473

Download, Download*

.NET Framework 2.0 SP2

KB2418241

Download

.NET Framework 3.5

KB2416468, KB2418240

Download, Download*

.NET Framework 1.1 SP1

KB2416447

Download

*When multiple patch downloads are listed above against a .NET version (for example with .NET 3.5 SP1 and .NET 3.5 installs) then all patches should be installed (order is not relevant).

Windows XP SP3 32-bit and 64-bit

 

.NET Framework Version/SP

KB Article

Patch

Default OS Configuration

NA

NA

.NET Framework 4

KB2416472

Download

.NET Framework 3.5 SP1

KB2418241, KB2416473

Download, Download*

.NET Framework 2.0 SP2

KB2418241

Download

.NET Framework 3.5

KB2416468, KB2418240

Download, Download*

.NET Framework 1.1 SP1

KB2416447

Download

*When multiple patch downloads are listed above against a .NET version (for example with .NET 3.5 SP1 and .NET 3.5 installs) then all patches should be installed (order is not relevant).

Summary

We recommend immediately applying the security update to your servers in order to protect your applications against attackers trying to exploit them.  We’d like to thank Juliano Rizzo and Thai Duong, who discovered that their previous research worked against ASP.NET, for not releasing their POET tool publicly before our update was ready.

You can ask questions and get help with the security vulnerability and update in a special ASP.NET Forum that we have setup here.  If you have problems or questions you can also contact Microsoft Customer Support for help (including support over the phone with a support engineer).  The official Microsoft Security Bulletin post is here.

Thanks,

Scott

107 Comments

  • What about updates for Windows Azure?

  • Thanks for this. Well done to you and your team for such a speedy response.

  • Thanks for the workaround and for those patches !!

  • If we're running our applications on Azure, a) does this affect us and b) has it been taken care of there?

    Thanks!

  • What about updates for Windows Azure?

  • Thank you, Scott, for the links. I'll be informing my students.

  • When i have a Windows Server 2008 R2 with all frameworks installed only have to patch 3.5.1 and 4.0 ?

  • Any information when fixes will be available to WSUS based shops?

  • Hi,

    I have windows server 2008 r2 x64. There are only two updates available for that? I have installed both updates, is that enough? (I only have .net 2.0 and 3.5 sites hosted there). I looked up on kb article and it seems 3.5 update also updates 2.0 too(??). I just want to make sure I have done it correctly.

    Many thanks,
    Min

  • Thank you.
    I just applied the update. You said a reboot was not required, however I was asked for a reboot after installing the patch.
    After rebooting, I noticed that my session was gone, and I had to re-login.

  • Can;t get into the forums so i'll ask here and cross my fingers:
    I'm running Windows Server 2008 R2 which seems to have the .NET Framework 2.0. the table above only lists updates for 3.5.1 and 4.0... am I good or do I need to install the x64 version of the 2.0 update for Server 2008 (non-R2)?

    Confused... but THANKS!

  • How do we test that we are secure after we have applied the patch?

  • Is Microsoft W.I.F. affected? We use the MachineKeySessionSecurityTokenHandler (passive federation) and are concerned about how the Oracle padding vulnerability affects it.


    thanks

  • So far this isn't working out to well. I have a server with 3.5 (presumably SP1 since the systems are all patched with every available update) and 4.0.

    The system is Server 2008 x86 SP2.

    I downloaded both 3.5 SP1 patches. The first one forced a reboot. The second one installed. The 4.0 patch (NDP40-KB2416472-x86.exe) says "KB2416472 does not apply, or is blocked by another condition on your computer." but 4.0 is definitely on the server. Now I am not sure if I am patched or not. Did the 3.5 sp1 installer patch the 4.0 or is the 4.0 patch just broken?

  • Thanx!!
    There is one question that is bothering me since 'it al started'. How comes that you (or actually we all did, including Java, Flickr and Ruby quys) missed this one? Padding oracles are simple and well known since 2002 (even I can understand it). Rizzo and Duong published their 'Practical padding oracles' somewhere in june this year. I'm quite uncomfortable with the idea that relatively 'simple crypto-attacks' are capable of messing up the security of the web framework we (my company) trust and use to develop our software on.
    This is actually not particular 'ASP.NET or Microsoft' criticism, but a more general question. Are there any actions Microsoft takes to prevent these kind of flaws in the future? Do you think the (ASP.NET) developer community could contribute in some ways? Learn more about cryptography and read crypto-papers? What's your (Microsoft's) opinion on this?

  • I have a question for all of the .NET experts out there (a coveted group which I am unfortunately not a part of) :)

    I have a Windows Server 2008 R2 system that shows "Microsoft .NET Framework 4 Extended" in the Programs and Features section of the Control Panel. There is no entry for a 3.5 version of .NET that I can see. Additionally, I have both a Framework and Framework64 folder under the C:\Windows\Microsoft.NET location. In the Framework folder, I see v1.0, v1.1, v2.0, and v4.0 folders. In the Framework64 folder I see v2.0 and v4.0 folders. Whew! OK, now that my environment has been described, I can get to the questions...

    Based on the chart above, it would seem that I should only have to download the patch associated with KB2416472 (Server 2008 R2 .NET 4). However, here are my questions:

    1) Do I actually need to install and run BOTH KB2416472 (Server 2008 R2 .NET 4) AND KB2416471 (Server 2008 R2 .NET 3.5) to be protected?

    2) Since I see both Framework and Framework64 folders, do I need to run both the x86 and x64 installers found on those KB websites?

    3) What about other flavors of Windows in the above chart that have several versions of .NET listed (like Windows Server 2003 SP2 32-bit)? Would I need to install each patch listed in the chart for that particular operating system in order to be protected?

    Thanks for any input or explanation that can be offered regarding all these different framework and runtime versions and how they apply to 32-bit vs. 64-bit systems. It's a a sea of confusion for me, and I'm not exactly Magellan ;)

  • Hi, what happens if i don´t have access to the OS? i have some application in a hosting partner but i only have access to FTP server.
    Thanks

  • Greate work, thanks for the effort!

  • An iisreset has seemed to correct the issue I was seeing. The error was also accompanied by:

    Warning: IIS log failed to write entry, File /LM/W3SVC/xx/Root/xxxxx.xxx Line xx Object required: 'Request'. .

  • On 64bit systems, do the x64 .msu's update both the x86 AND the x64 versions of the framework or do I need to download both of:

    Windows6.1-KB2416471-x64.msu
    Windows6.1-KB2416471-x86.msu

    to patch 64bit environments?


  • -"When i have a Windows Server 2008 R2 with all frameworks installed only have to patch 3.5.1 and 4.0 ?"

    Answer: Yes. Windows 7 and Windows Server 2008 R2 come with 3.5 SP already installed. Additionally you may have also installed .NET 4. As a result the only Framework versions that need to be patched on Windows 7 and Windows Server 2008 R2 are 3.5 SP1 and .NET 4.

  • -"On 64bit systems, do the x64 .msu's update both the x86 AND the x64 versions of the framework or do I need to download both?"

    Answer: For 64-bit systems you only need to install the 64-bit patches. The 64-bit patches will automatically patch both 32-bit and 64-bit versions of a given Framework on the machine.

  • -"Hi, what happens if i don´t have access to the OS? i have some application in a hosting partner but i only have access to FTP server."

    Answer: For cases like shared hosting servers, the company running the shared hosting servers will need to apply the patches themselves.

  • @svnv, Eric
    If you are using the Azure platform to host ASP.Net websites, you are affected by this issue. The Azure team is actively rolling out the update in their environment and they will hopefully have more information on their blog.

  • @steve schofield
    WSUS is working on a 24x7 schedule to release the update on the WU channel, but this requires additional authoring and testing that will take a few days.

  • @oswaldo, sschack
    If your ASP.NET applications are being hosted by a hosting provider, they will need to make sure they apply the security update in a timely fashion.

  • >>When i have a Windows Server 2008 R2 with all frameworks installed only have to patch 3.5.1 and 4.0 ?

    Ube, Windows Server 2008 R2 ships with the .NET Framework 3.5.1 built in, additionally you can also install the .NET Framework 4 on top of Windows Server 2008 R2. So you would need to patch 3.5.1 and if you did install .NET Framework 4 then you should apply the corresponding patch too.

    Jamshed Damkewala
    Lead Program Manager, DevDiv Sustained Engineering Team

  • This knowledge base article provides guidance on how you can identify all different versions of the .NET Framework that might be installed:

    http://support.microsoft.com/kb/318785

    Jamshed Damkewala
    Lead Program Manager, DevDiv Sustained Engineering Team

  • >>Any information when fixes will be available to WSUS based shops?

    Steve, we're working round the clock on making the updates available via WU and WSUS but we need to ensure we have the highest possible quality release before we distribute this broadly to customers via WU/WSUS. So the answer is really as soon as we possibly can.

    Jamshed Damkewala
    Lead Program Manager, DevDiv Sustained Engineering Team

  • >>I have windows server 2008 r2 x64. There are only two updates available for that? I have installed both updates, is that enough? (I only have .net 2.0 and 3.5 sites hosted there). I looked up on kb article and it seems 3.5 update also updates 2.0 too(??). I just want to make sure I have done it correctly.

    Min, Windows Server 2008 R2 shipped with the .NET Framework 3.5.1 built in. So you should install the corresponding patch (KB2416754). Additionally, if you have installed the .NET Framework 4 on top of this you would need to install the corresponding update (KB2416472).


    Jamshed Damkewala
    Lead Program Manager, DevDiv Sustained Engineering Team

  • >>I'm running Windows Server 2008 R2 which seems to have the .NET Framework 2.0. the table above only lists updates for 3.5.1 and 4.0... am I good or do I need to install the x64 version of the 2.0 update for Server 2008 (non-R2)?

    Some IT Dood, Windows Server 2008 R2 shipped with the .NET Framework 3.5.1 built in, this internally consists of updated versions of the 2.0, 3.0 ams 3.5 feature layers. So installing the 3.5.1 patch KB2416754 will update the 2.0 and 3.5 feature layers as expected. Additionally, if you have installed the .NET Framework 4 on top of this you would need to install the corresponding update (KB2416472).


    Jamshed Damkewala
    Lead Program Manager, DevDiv Sustained Engineering Team

  • >>The 4.0 patch (NDP40-KB2416472-x86.exe) says "KB2416472 does not apply, or is blocked by another condition on your computer." but 4.0 is definitely on the server. Now I am not sure if I am patched or not. Did the 3.5 sp1 installer patch the 4.0 or is the 4.0 patch just broken?

    Eric, the patch for the .NET Framework 4 targets the .NET Framework "Full" SKU, this is different from the .NET Framework 4 Client Profile. Could you please check if you have the Client Profile installed rather than the Full version? If you do have only Client Profile installed, then you do not have ASP.NET bits on your machine and the .NET Framework 4 patch is not applicable for your system.

    Thanks,
    Jamshed Damkewala
    Lead Program Manager, DevDiv Sustained Engineering Team

  • >>Bit confused around Server 2008 w/ .net 1.1 sp1. According to microsoft you need to apply kb2416447. And it says that this is supported on the download page: www.microsoft.com/.../details.aspx
    >>But it won't run on 2008, and the kb page itself ( support.microsoft.com )has no mention of 2008 support! Also, the filename says x86, no clarity if there is a seperate x64 version or not.

    confusing!, the .NET Framework 1.1 SP1 is only available in a 32-bit (x86) version, but this can be installed and run on a 64-bit machine up to Windows Server 2008 (later versions of the OS do not support 1.1). Since the 1.1 product is only available in the x86 architecture the corresponding patch is also available in the same architecture and should be usable on a Windows Server 2008 64-bit installation.

    We have tested KB2416447 in this configuration so it should work, but it is hard to tell why exactly the installation is failing on your machine, I would recommend calling free technical support at 1-866-PCSAFETY, they should be able to help debug your particular problem.

    Thanks,
    Jamshed Damkewala
    Lead Program Manager, DevDiv Sustained Engineering Team

  • >>I have a question for all of the .NET experts out there (a coveted group which I am unfortunately not a part of) :)

    >>I have a Windows Server 2008 R2 system that shows "Microsoft .NET Framework 4 Extended" in the Programs and Features section of the Control Panel. There is no entry for a 3.5 version of .NET that I can see. Additionally, I have both a Framework and Framework64 folder under the C:\Windows\Microsoft.NET location. In the Framework folder, I see v1.0, v1.1, v2.0, and v4.0 folders. In the Framework64 folder I see v2.0 and v4.0 folders. Whew! OK, now that my environment has been described, I can get to the questions...

    >>Based on the chart above, it would seem that I should only have to download the patch associated with KB2416472 (Server 2008 R2 .NET 4). However, here are my questions:

    >>1) Do I actually need to install and run BOTH KB2416472 (Server 2008 R2 .NET 4) AND KB2416471 (Server 2008 R2 .NET 3.5) to be protected?

    >>2) Since I see both Framework and Framework64 folders, do I need to run both the x86 and x64 installers found on those KB websites?

    >>3) What about other flavors of Windows in the above chart that have several versions of .NET listed (like Windows Server 2003 SP2 32-bit)? Would I need to install each patch listed in the chart for that particular operating system in order to be protected?

    >>Thanks for any input or explanation that can be offered regarding all these different framework and runtime versions and how they apply to 32-bit vs. 64-bit systems. It's a a sea of confusion for me, and I'm not exactly Magellan ;)


    rk, this knowledge base article provides details on how to identify the different versions of the .NET Framework that may be installed or may have come as part of the operating system: http://support.microsoft.com/kb/318785

    1. Yes you do need to run both KB2416472 and KB2416471 to be protected. The first one is required because you have indicated you have the .NET Framework 4 installed and the second one is required because you have the .NET Framework 3.5.1 built in into your Windows Server 2008 R2 OS.

    2. You need to only run the 64-bit version of the patch, that should update both folders.

    3. You need to install all patches for all versions that you have installed on each machine. The table in Scott's blog lists all possible versions of the .NET Framework that may be installed and are supported on each OS. If a machine does not have a particular version of the .NET Framework installed then you would not need the corresponding patch.

    Thanks,
    Jamshed Damkewala
    Lead Program Manager, DevDiv Sustained Engineering Team

  • Thanks for the update Scott.

    If I have multiple .Net versions installed in my server, do I need to install a patch for each one of them or just the one for the latest .Net version?

    Thanks

  • Cheers for that, but this is mayhem! wrap it up in a single download that figures out what to install. let the computers do the thinking. I won't install anything.

  • >>Cheers for that, but this is mayhem! wrap it up in a single download that figures out what to install. let the computers do the thinking. I won't install anything.

    ooswald, the experience you mention will be available as part of the Windows Update and WSUS deployment as soon as we have completed the testing for the broad distribution.

    Thanks,
    Jamshed Damkewala
    Lead Program Manager, DevDiv Sustained Engineering Team

  • >>If I have multiple .Net versions installed in my server, do I need to install a patch for each one of them or just the one for the latest .Net version?

    Essam, yes, you would need to patch all installs versions of the .NET Framework since all versions have the vulnerability.

    Thanks,
    Jamshed Damkewala
    Lead Program Manager, DevDiv Sustained Engineering Team

  • >>I see the description on the update states XP, Win2003, Vista and 2008... but I'm of course significantly concerned at the disconnect between your tables above vs the update description vs MS10-070's info on this. Can you clarify PLEASE??

    Damon, thanks for bringing the discrepancy to our attention, other customers also reported the same issue. The information Scott provided in the tables above is accurate, we are working to fix the KB articles.

    Thanks,
    Jamshed Damkewala
    Lead Program Manager, DevDiv Sustained Engineering Team

  • The 4.0 patch (NDP40-KB2416472-x86.exe) says "KB2416472 does not apply, or is blocked by another condition on your computer." but the FULL version of 4.0 is on the server.
    Patching of 2.0 and 3.5 went ok.

  • The Microsoft.NET folder on Windows 2003 SP2 x86 reads:
    v1.0.3705
    v1.1.4322
    v2.0.50727
    v3.0
    v3.5

    Have i to install 4 updates?
    What's about v1.0? Is it possible to remove 1.0 and 1.1? We needn't 1.0 or 1.1 anymore.

    What's about .NET 2.0 on Windows 2000? Dead and unsafe for ever?

  • "Do the updates require me to change any code?

    No. The update should not require any code or configuration change to your existing ASP.NET applications."

    This is not always true. If you use the CompositeScript feature of ScriptManager than your site can break because the generated url can exceed the 1024 characters after the update.

  • Hi Jamshed,

    Could you please tell me - do I need to have .Net updated on both server AND development machine, or do I just need to worry about the server? If the server is updated, but development machine is not, will I have a problem at deployment time?

    Cheers.

  • in case of persisting sessionstate information into sessionstate DB, has this to be reset in course of applying the patch?
    thanks

  • How about making available single setup/installer that detects whats installed on the system and download the required patches and applies them?

    x64 setup/installer should also detect if x86 framework is installed and do necessary patching for that too.

  • We have .NET 1.1 applications running on Windows Server 2008 R2, for which there doesn't appear to be a patch listed. Is the patch for 1.1 for 2008 SP2 (KB2416447) suitable?

  • I do not see 2003 R2 listed? Will the 2003 SP2 work for it? Noticed 2008 has SP2 and R2.

  • Hi All, are there any patches for NET 3.0, or are we covered with 3.5 updates?

  • Is there a link to patches that would apply to Window Server 2003 Enterprise Edition SP1?

    Thanks,

    Mark

  • These updates don't seem to update the relevant registry keys that can be queried to find the specific version number installed for each .NET framework version.

    That is, for example, the update for .NET 3.5 SP1 for 64-bit Windows Server 2008 R2 installs files with version numbers of 2.0.50727.4955 and 3.5.30729.4953.

    However, the registry entry for Version under
    HKLM\Software\Microsoft\NET Framework Setup\NDP\v2.0.50727
    still shows 2.0.50727.4927 (the same version as before this update was installed).

    And, the registry entry for Version under
    HKLM\Software\Microsoft\NET Framework Setup\NDP\v3.5
    still shows 3.5.30729.4926 (the same version as before this update was installed).

  • I'm having trouble determining whether the patches are working as advertised -- it looks like DetectCustomErrorsDisabled31.vbs is only scanning my web.configs for the work around and cannot tell if a website is actually secure or not.

    Ideas?

  • Thank you for the information on this bulletin. My questions are: Do I need to install this patch immediately if my IIS website running ASP.NET requires a client certificate to access the website? Does requiring client certificates mitigate this vulnerability?

  • >Could you please tell me - do I need to have .Net updated on both server AND development >machine, or do I just need to worry about the server? If the server is updated, but >development machine is not, will I have a problem at deployment time?

    Eventually both sets of machines should be updated since the behavior of encrypted state information has changed. However for the short term the most important thing is to apply the patches to the production machines ASAP.

  • >in case of persisting sessionstate information into sessionstate DB, has this to be reset >in course of applying the patch?

    Patched machines may need to be iisreset - in which case session state stored *in-process* will be lost. However session state stored in either the out-of-process session state service, or stored in Sql Server, will be unaffected and will still be available.

  • >Wednesday, September 29, 2010 4:13 AM by Marcus
    >We have .NET 1.1 applications running on Windows Server 2008 R2, for which there doesn't appear to be a patch listed. Is the patch for 1.1 for 2008 SP2 (KB2416447) suitable?

    There is no patch for 1.1 on Windows 7 or Windows Server 2008 R2. .NET 1.1 is not supported on either Windows 7 or WS08R2.


    >Wednesday, September 29, 2010 6:14 AM by sterling
    >I do not see 2003 R2 listed? Will the 2003 SP2 work for it? Noticed 2008 has SP2 and R2.

    The patches for Windows Server 2003 also apply to Windows Server 2003 R2.


    >Wednesday, September 29, 2010 6:18 AM by BT
    >Hi All, are there any patches for NET 3.0, or are we covered with 3.5 updates?

    .NET 3.0 is not affected by the security issue and thus does not need to be patched.


  • great job, thanks for this information !

  • >I'm having trouble determining whether the patches are working as advertised -- it looks >like DetectCustomErrorsDisabled31.vbs is only scanning my web.configs for the work around >and cannot tell if a website is actually secure or not.

    The VBScript was for determining if the workarounds need-to-be/had-been applied. The patch supersedes all of the previously published workarounds. Once the patches are installed the workarounds can be backed out and the VBScript is no longer needed.

    A simple way to see if the patches are installed is to compare the length of the webresource.axd and scriptresource.axd Urls between a machine with the patch and a machine without the patch. On a patched machine the Urls will be longer - specifically the "d" query-string value will be longer.

  • >Does the patch protect from timing attack? Troy Hunt had a nice blog about the timing attack (www.troyhunt.com/.../why-sleep-is-good-for-your-apps-padding.html).

    The patch adds a signature to all encrypted state - and performs a verification check prior to attempting any decryption of state. As a result the patch protects against padding oracle attackes by not allowing the attack to even start. Since a padding oracle attack requires bit-twiddling the encrypted state, that bit-twiddling invalidates the digital signature on the encrypted state. With the patch ASP.NET will not attempt to decrypt tampered state information.

  • I'm unable to apply the .NET 1.1 patch to a Server 2003 SP2 x86 machine. I'm receiving the error:

    "The upgrade patch cannot be installed by the Windows Installer service because the program to be upgraded may be missing, or the upgrade patch may update a different version of the program. Verify that the program to be upgraded exists on your computer and that you have the correct upgrade patch."

    I've validated that the SP reg entry = 1 in HKLM\Software\Microsoft\NET Framework Setup\NDP\v.1.1.4322. Any ideas?

  • >>what is the post installation ASP.NET application behaviour.. what do we see than before.. means how to test to make sure the patch is installed and working without impacting other functioalities of the app? could anybody provide..

    Just re-posting from an earlier question along the same lines: A simple way to see if the patches are installed is to compare the length of the webresource.axd and scriptresource.axd Urls between a machine with the patch, and a machine without the patch. On a patched machine the Urls will be longer. For the same resource the "d" query-string value will be longer on a patched machine.

  • Reg: www.microsoft.com/.../MS10-070.mspx)

    Hi sschack.. Thanks for your reply. It provides some info but my real question was once you know that the patch has been installed then what is my test scenario and what I can see the patch made difference in security.

    Thanks in advance.

  • Thank you team and Scott!!!

  • I have shared hosting with GoDaddy and they have not been able to tell me if they have installed the fix on my hosting account. I have provided them with this link and a link to MS's site in regard to this patch to fix this security hole. Both responses I got from them were as follows: "We install patches regularly and as necessary. Unfortunately, we cannot provide further information at this time." and when I gave them more details about the patch and insisted that they reassure me or not that their servers are protected they replied with "Unfortunately we can not provide internal information regarding our hosting plans. I apologize for the inconvenience.". BLEH!

    I also host with Arvixe who were more than willing to inform that they had installed the patch the day it was available and that their servers were secure.

    Has anyone else had this experience with GoDaddy? I have found no documentation or blogs on their site that has anything to do with this vulnerability. What steps should I take with GoDaddy to make sure that the patch is installed?

  • Repost, any one else have this problem?(Running website on net 4.)
    The 4.0 patch (NDP40-KB2416472-x86.exe) says "KB2416472 does not apply, or is blocked by another condition on your computer." but the FULL version of 4.0 is on the server.
    Patching of 2.0 and 3.5 went ok.

  • We've had reports of customers seeing this error after patch installation:

    Event code: 4005
    Event message: Forms authentication failed for the request. Reason: The ticket supplied was invalid.

    We're thinking it may be cookie related (ie. a user selected "Remember Me") and it's causing issues. Only thing that changed is that the patch was installed. ASP.NET 3.5 SP1 app on an IIS6 webfarm.

  • Thanks for the patch and all details.

    I can see lot of people have different experiences with the update. LEt's see how it rolls on at my end.

  • >>We have .NET 1.1 applications running on Windows Server 2008 R2, for which there doesn't appear to be a patch listed. Is the patch for 1.1 for 2008 SP2 (KB2416447) suitable?

    Marcus, .NET Framework 1.1 SP1 is not supported on Windos 7 or Windows Server 2008 R2, this link has more information about that: http://blogs.technet.com/b/lifecycle/archive/2010/06/21/supportability-of-net-framework-1-1-on-windows-7-and-windows-server-2008-r2.aspx. I would recommend you upgrade your installation to a more recent supported version of the .NET Framework in order to continue receiving security updates.

    Thanks,
    Jamshed Damkewala
    Lead PM, .NET Framework Sustained Engineering Team

  • >>The 4.0 patch (NDP40-KB2416472-x86.exe) says "KB2416472 does not apply, or is blocked by another condition on your computer." but the FULL version of 4.0 is on the server.

    Eric, there could be a number of reasons why applying the patch failed, it would be hard to debug without logs. I would recommend you call 1-866-PCSAFETY for free technical support for security updates, they should be able to help debug your problem.

    Thanks,
    Jamshed Damkewala
    Lead PM, .NET Framework Sustained Engineering Team

  • >>Could you please tell me - do I need to have .Net updated on both server AND development machine, or do I just need to worry about the server? If the server is updated, but development machine is not, will I have a problem at deployment time?

    Shem, my recommendation is that you install the update on both machines even if the development machine is not going to be internet facing so that you get a consistent development, debugging, and deployment experience and can eliminate the the possibility of seeing code that works in one environment but doesn't in another due to the patch being applied.

    Thanks,
    Jamshed Damkewala
    Lead PM, .NET Framework Sustained Engineering Team

  • >>How about making available single setup/installer that detects whats installed on the system and download the required patches and applies them?

    khurram, that single installer you are looking for is the Windows Update/WSUS experience and it behaves very much like you describe. Once the patches for this security update are available on Windows Update you can use the "Check for Updates" option in your Control Panel and WU will scan your machine and offer you the correct set of patches based on the different version(s) of the .NET Framework installed on the particular machine.

    Thanks,
    Jamshed Damkewala
    Lead PM, .NET Framework Sustained Engineering Team

  • >>I do not see 2003 R2 listed? Will the 2003 SP2 work for it? Noticed 2008 has SP2 and R2.

    sterling, Windows Server 2003 R2 is an update applied to Windows Server 2003 so yes, the patches for Windows Server 2003 will work on Windows Server 2003 R2 too.

    Thanks,
    Jamshed Damkewala
    Lead PM, .NET Framework Sustained Engineering Team

  • >>Hi All, are there any patches for NET 3.0, or are we covered with 3.5 updates?

    There are no patches for the .NET Framework 3.0 feature layer since that layer is not affected by this vulnerability.

    Thanks,
    Jamshed Damkewala
    Lead PM, .NET Framework Sustained Engineering Team

  • >>Is there a link to patches that would apply to Window Server 2003 Enterprise Edition SP1?

    Mark, support for Windows Server 2003 SP1 ended on April 14, 2009. You can see the details of the support lifecycles for various operating systems here:http://support.microsoft.com/lifecycle/?LN=en-us&p1=3198&x=5&y=8. I would recommend you upgrade your system to a supported version in order to continue receiving security updates.

    Thanks,
    Jamshed Damkewala
    Lead PM, .NET Framework Sustained Engineering Team

  • Hi Scott

    I am facing the problem .. as follow. WebService application.. frequently encountered the following msg.. sometime OK, sometime NOT OK..
    .NET 3.5 WebService Application..
    Could you help me what is main cause and solution? Thanks..
    ---------------------------------------------
    Server Application Unavailable
    The web application you are attempting to access on this web server is currently unavailable. Please hit the "Refresh" button in your web browser to retry your request.

    Administrator Note: An error message detailing the cause of this specific request failure can be found in the application event log of the web server. Please review this log entry to discover what caused this error to occur.
    --------------------------------------------------------------------------------

  • Thanks for this! I have successfully applied patches to all my servers, but I have another problem: "ASP.NET Applications" performance counters for some of my sites disappeared from perfmon and WMI.

    I use construction like this:
    SELECT RequestsPerSec FROM Win32_PerfFormattedData_ASPNET_ASPNETApplications WHERE Name='_LM_W3SVC_33_ROOT'
    and there is no _LM_W3SVC_33_ROOT instance, but site successfully working with ID 33.

    Can it be caused by reboot after updates pending? Cannot reboot servers now.

  • I'm going to write an email to my asp.net hosting provider about this update. Thanks a lot.

  • Thanks for the patches * done

  • Add another huge vote to Jeff's comment about "Forms authentication failed for the request. Reason: The ticket supplied has expired". We've got three webservers here and after the patches where applied yesterday, we've had dozens of customers call in yelling.

    I've gone through all the servers machine.config files and verified they all have matching validationKey and decryptionKey's along with being set for validation="SHA1" decryption="3DES". Each site also has the same info in the web.config.

  • We have a site which handles our login, then re-directs over to other external sites...after installing this that no longer works, I'm caught in an endless redirect loop. That site sends me back to login, then login validates, sends me back over, and it then sends me back to login (repeat until timeout)

    :/

  • To stevescotthome

    With the issue of login on one site re-directing to another site, and this now failing.

    I believe you will need to make sure that the same patches are installed on both sites; and also that you have the same machineKey settings in the web.config files on both sites. I believe that the login authentication cookie is encrypted, and it will now be encrypted differently with the patch installed. If both servers are not patched the same (and using the same machine keys), the second site will not be able to use the authentication cookie from the first one.

  • Regarding the reply: Wednesday, September 29, 2010 9:27 PM by sschack

    I know that I can check the version numbers of the actual files in the Windows file system - provided that I have access to those files. In a shared or hosted environment, I have no way to check the Windows file versions. That's why it would be useful if the ASP.NET System.Environment.Version call returned an updated version number when this update is installed.

    Alternatively, it would be helpful if the registry entry for Version under "HKLM\Software\Microsoft\NET Framework Setup\NDP\v3.5" (and the corresponding 4.0 entry) [which can be read by a method in ASP.NET] reported an updated version number if the update is installed.

    So far, the only approach I have seen to determine whether the update has been installed in a hosted environment is to check for a longer length "d" query string value in any references to webresource.axd in the "View Source" for an aspx web page.



  • Hey Scott, just an update....UNinstalling this update fixed the issue I was having...so something's not right

  • I have a server 2003 sp2 Web Edition server that lists:

    .NET Framework 2.0 Service Pack 2
    .NET Framework 3.0 Service Pack 2
    .NET Framework 3.5 SP1

    Does the 3.5 update cover 3.0?

  • @Jason Baginski, Jeff

    >>>>> We've had reports of customers seeing this error after patch installation: Event code: 4005
    >>>>> Event message: Forms authentication failed for the request. Reason: The ticket supplied was invalid.
    >>>>> We're thinking it may be cookie related (ie. a user selected "Remember Me") and it's causing issues. Only thing that changed is that the patch was installed. ASP.NET 3.5 SP1 app on an IIS6 webfarm.

    Above you are seeing the event log entries that happen when users hit the site with an old forms-auth ticket. Once the patch is installed the security tokens used by cached Forms Auth tickets will no longer be valid, and end-users will need to login again. This *should not* display an error to visitors to the site - but rather simply redisplay the login page. After the user logs in everything will be like before. So these event log errors shouldn't cause concern - since they simply indicate the transition from the old to the new forms auth tickets (and do not cause a bad user experience for people visiting the site).

    Let me know via email (scottgu@microsoft.com) if you are seeing something different than what I've described and we can help further.

    Thanks,

    Scott

  • "although an OS reboot should not be required" is not correct

    After I installed the first update it asks for a restart :)

  • Silverlight issue

    I had put the temporary patch in place.

    Then installed the proper update

    My Silverlight app stopped working - could not find the WCF services until I commented out the

    line

    then it was OK again

    Mike

  • Hey Scott - I'm having what sounds like the same issue that Jason is. I went ahead and sent you an email with the details.

  • So why does the DetectCustomErrorsDisabled.vbs still show as VULNERABLE *AFTER* I installed MS10-070.

    Does this patch work ? I don't think so.

  • Does this break TripleDES? I applied the security update on my system and it broke my application which uses TripleDES to encrypt the login password.

  • Update are finally available in WU and WSUS. Happy patching ;).

  • I tried installing the KB2418241 update for Windows 2003 SP2 and .NET Framework 2.0 but it is showing "None of the products that are addressed by this software update are installed in your computer". I have .NET Framework 2.0 installed in the system.

  • Funniest thing about this, is a client sent in an email about the issue because their ISP alerted them of it today... 1 week late, and after a solution had already be made. Good job, CrystalTech...

  • Hey, Scott. The security issue has been handled. The updates are available. Please post something else so we can get past this. Thanks!

  • @Mark H
    >>>>> So why does the DetectCustomErrorsDisabled.vbs still show as VULNERABLE *AFTER* I installed MS10-070.

    >>>>> Does this patch work ? I don't think so.

    It means that you never applied the temporary _workaround_ fixes to your web.config files. The patch is supposed to be a _permanent_ fix making the workaround fix and VBS script obsolete.

    Snarky comments without an understanding of what the VBS script is for ? I think so.

  • Scott,
    We use a third-party survey tool named DatStat Illume from datstat.com. Their ASP.NET 2.0-based web app uses an ASHX to display images and after installing the patch the images in the surveys are no longer showing. Are you aware of this issue and is there anything we or DatStat can do to fix it?

    Paul

  • As a follow-up to my comment from Oct 1, I since have discovered by looking through the vent log, that this issue was caused by the installation of URL Scan rather than the patch so we have for now uninstalled URL Scan until we can figure out how to allow the image handler to run correctly with URL Scan in place.

    Regards,
    Paul

  • Hi,
    Out of precaution I would like to change my machine key. How do do this without having my users to sent a new password or having login failures?
    J.

  • After installing this update, we notice that the forms authentication ticket become longer than before. Unfortunately we use the inurl mode, and not cookies, so our url become longer than ever. This new behavior break our application with HTTP 400 error:

    Bad Request - Invalid URL
    HTTP Error 400. The request URL is invalid

  • SharePoint 2007 running on x64, 3.0 Version of .net framework.

    Do i need to put the latest .net vulnebirity patch created for 2.0?
    or
    Should i upgrade to 3.5 and put the patch? (as there is no patch for 3.0)

    Thanks
    celerity12

  • How about patch for .net 3.0 framework? Should i use the one for 2.0?

  • After applying this patch I'm seeing one server that can't load Event Viewer (or most any mmc plugin). Has anyone else reported this problem?

  • If you share a FormsAuthenticationTicket cookie between 1.1 and 2.0 sites, these patches may break your ability to do this. See my post at http://forums.asp.net/p/1609592/4112484.aspx for a workaround.

  • Is anyone else getting application event logs of "Forms authentication failed for the request. Reason: The ticket supplied was invalid." ? A few development machines now show that error, and one of them didn't have any issues until after some service patches were installed and the machine was rebooted.

    A few of us (not all) can no longer get past our login form. Each time we try to log in, we get a new entry in the event log with that same error.

  • @EdFromOhio,

    Can you send me email (scottgu@microsoft.com) and I will connect you with someone who can help.

    Thanks,

    Scott

  • Thank you for your reply, Scott. I opened a case open with Microsoft late last week regarding this issue. It seems to only be affecting XP and Vista workstations, not Windows 7. That leads me to be suspicious of the new KB2416470 patch, even though that section of our system uses ASP.Net 2.0 SP2. Hopefully there will be a solid solution to this issue that I can post here for the benefit of all.

  • wow. I'm behind the eight ball on this. Thanks for the very helpful post. Today I'll be patching most of my clients' servers :)

  • As an update to my previous post, my Vista machine had a few issues with it. Apparently the KB2408241 had only partially been installed so I had some DLL mismatches which only became apparent when KB2416470 was applied. We uninstalled both, then installed KB2418241, rebooted, installed KB240 I did have to put the key in for things to work on my machine.

    Unfortunately, the same process did not work on an XP SP3 machine with all available critical and optional patches applied. We may end up opening another case to resolve that machine's issues.

    P.S. Scott, we saw you on that live feed last week. Pretty cool!

Comments have been disabled for this content.