Security Bulletin
Microsoft Security Bulletin MS10-070 - Important
Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)
Published: September 28, 2010 | Updated: October 26, 2011
Version: 4.2
General Information
Executive Summary
This security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.
This security update is rated Important for all supported editions of ASP.NET except Microsoft .NET Framework 1.0 Service Pack 3. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses the vulnerability by additionally signing all data that is encrypted by ASP.NET. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
This security update also addresses the vulnerability first described in Microsoft Security Advisory 2416728.
Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.
See also the section, Detection and Deployment Tools and Guidance, later in this bulletin.
Known Issues. Microsoft Knowledge Base Article 2418042 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues.
Affected and Non-Affected Software
The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.
Affected Software
*Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.
**Server Core installation not affected. The vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 as indicated, when installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.
[1].NET Framework 4.0 Client Profile not affected. The .NET Framework version 4 redistributable packages are available in two profiles: .NET Framework 4.0 and .NET Framework 4.0 Client Profile. The .NET Framework 4.0 Client Profile is a subset of the .NET Framework 4.0. The vulnerability addressed in this update affects only the .NET Framework 4.0 and not the .NET Framework 4.0 Client Profile. For more information, see: Installing the .NET Framework.
Non-Affected Software
Operating System | Component |
---|---|
Microsoft .NET Framework 1.0 Service Pack 3 | |
Windows XP Service Pack 3 | Microsoft .NET Framework 1.0 Service Pack 3 (Windows XP Media Center Edition 2005 and Windows XP Tablet PC Edition 2005 only) |
Microsoft .NET Framework 3.5.1 | |
Windows 7 for 32-bit Systems Service Pack 1 | Microsoft .NET Framework 3.5.1 |
Windows 7 for x64-based Systems Service Pack 1 | Microsoft .NET Framework 3.5.1 |
Windows Server 2008 R2 for x64-based Systems Service Pack 1 | Microsoft .NET Framework 3.5.1 |
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 | Microsoft .NET Framework 3.5.1 |
Frequently Asked Questions (FAQ) Related to This Security Update
Why was this bulletin revised on February 22, 2011?
Microsoft revised this security bulletin to announce a detection change to offer the Microsoft .NET Framework 4.0 (KB2416472) update packages to systems running Windows 7 for 32-bit Systems Service Pack 1, Windows 7 for x64-based Systems Service Pack 1, Windows Server 2008 R2 for x64-based Systems Service Pack 1, and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1. This detection change only applies to customers who install Microsoft .NET Framework 4.0 after installing Windows 7 for 32-bit Systems Service Pack 1, Windows 7 for x64-based Systems Service Pack 1, Windows Server 2008 R2 for x64-based Systems Service Pack 1, or Windows Server 2008 R2 for Itanium-based Systems Service Pack 1. Customers who have already successfully updated their systems do not need to take any action.
Why was this bulletin revised on December 14, 2010?
Microsoft revised this security bulletin to announce that new update packages are available for Microsoft .NET Framework 4.0 (KB2416472). These new packages correct an issue in the setup that could interfere with the successful installation of other updates. For customers who may have an installation of another product or update that may have been affected by this issue, please see Microsoft Knowledge Base Article 2473228 for additional information. Customers who have already successfully updated their systems do not need to take any action.
I have .NET Framework 3.0 Service Pack 2 installed; this version is not listed among the affected software in this bulletin. Do I need to install an update?
This bulletin describes a vulnerability in the .NET Framework 2.0 and the .NET Framework 3.5 feature layers. The .NET Framework 3.0 Service Pack 2 installer chains in the .NET Framework 2.0 Service Pack 2 setup, so installing the former also installs the latter. Therefore, customers who have .NET Framework 3.0 Service Pack 2 installed need to install security updates for .NET Framework 2.0 Service Pack 2.
I have .NET Framework 3.5 installed. Do I need to install any additional updates?
This bulletin describes a vulnerability in the .NET Framework 2.0 and the .NET Framework 3.5 feature layers. The .NET Framework 3.5 installer chains in both the .NET Framework 2.0 Service Pack 1 setup and the .NET Framework 3.0 Service Pack 1 setup. Therefore, customers who have .NET Framework 3.5 installed also need to install security updates for .NET Framework 2.0 Service Pack 1 in addition to the updates for .NET Framework 3.5.
To help determine if there are any additional versions of the .NET Framework installed on your system, see the FAQ entry, "How do I determine which version of the Microsoft .NET Framework is installed," later in this section.
I have .NET Framework 3.5 Service Pack 1 installed. Do I need to install any additional updates?
This bulletin describes a vulnerability in the .NET Framework 2.0 and the .NET Framework 3.5 feature layers. The .NET Framework 3.5 Service Pack 1 installer chains in both the .NET Framework 2.0 Service Pack 2 setup and the .NET Framework 3.0 Service Pack 2 setup. Therefore, customers who have .NET Framework 3.5 Service Pack 1 installed also need to install security updates for .NET Framework 2.0 Service Pack 2.
To help determine if there are any additional versions of the .NET Framework installed on your system, see the FAQ entry, "How do I determine which version of the Microsoft .NET Framework is installed," later in this section.
Why was this bulletin revised on September 30, 2010?
Microsoft revised this bulletin to announce that the updates are now available through all distribution channels, including Microsoft Update and Windows Update. Additionally, the following clarifications and corrections were also included in this revision:
- Made the following corrections to the Affected Software table:
- The bulletin description for update KB2418241 was corrected to include .NET Framework 3.5 Service Pack 1 on Windows XP and Windows Server 2003 systems. This was a bulletin change only. Customers who have successfully installed update KB2418241 do not need to reinstall. Customers running .NET Framework 3.5 Service Pack 1 on Windows XP or Windows Server 2003 systems who have not installed update KB2418241 should apply the update at the earliest opportunity, even if they have already applied update KB2416473 for .NET Framework 3.5 Service Pack 1. Customers should apply all updates offered for the software installed on their systems.
- The bulletin description for update KB2416474 was corrected to include .NET Framework 3.5 Service Pack 1 on Windows Vista and Windows Server 2008 systems. This was a bulletin change only. Customers who have successfully installed update KB2416474 do not need to reinstall. Customers running .NET Framework 3.5 Service Pack 1 on Windows Vista or Windows Server 2008 systems who have not installed update KB2416474 should apply the update at the earliest opportunity, even if they have already applied update KB2416473 for .NET Framework 3.5 Service Pack 1. Customers should apply all updates offered for the software installed on their systems.
- The bulletin description for update KB2416470 was corrected to include Microsoft .NET Framework 3.5 and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Vista and Windows Server 2008 systems. This was a bulletin change only. Customers who have successfully installed update KB2416470 do not need to reinstall. Customers running .NET Framework 3.5 and Microsoft .NET Framework 3.5 Service Pack 1 on Windows Vista or Windows Server 2008 systems who have not installed update KB2416470 should apply the update at the earliest opportunity, even if they have already applied update KB2418240 for .NET Framework 3.5 and update KB2416473 for .NET Framework 3.5 Service Pack 1. Customers should apply all updates offered for the software installed on their systems.
- Update KB2418240 was listed as an additional update for .NET Framework 3.5 for Windows XP, Windows Server 2003, Windows Vista Service Pack 1, and Windows Server 2008 systems. This was a bulletin change only. Customers who have successfully installed update KB2418240 do not need to reinstall. Customers running .NET Framework 3.5 on Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 systems who have not installed update KB2418240 should apply the update at the earliest opportunity, even if they have already applied a different update for .NET Framework 3.5. Customers should apply all updates offered for the software installed on their systems.
- Added the FAQ, "How do I determine which version of the Microsoft .NET Framework is installed?" in this section.
- Added the FAQ, "There are two updates listed for the version of the Microsoft .NET Framework installed on my system. Do I need to install both updates?" in this section.
- Added the FAQ, "Do I need to install these security updates in a particular sequence?" in this section.
How do I determine which version of the Microsoft .NET Framework is installed?
You can install and run multiple versions of the .NET Framework on a system, and you can install the versions in any order. There are several ways to determine which versions of the .NET Framework are currently installed. For more information, please see Microsoft Knowledge Base Article 318785.
There are two updates listed for the version of the Microsoft .NET Framework installed on my system. Do I need to install both updates?
Yes. Customers should apply all updates offered for the software installed on their systems.
Do I need to install these security updates in a particular sequence?
No. Multiple updates for one version of the .NET Framework can be applied in any sequence. We recommend that multiple updates for different versions of the .NET Framework be applied in sequence from lowest version number to highest, however that sequence isn't required.
Where are the file information details?
Refer to the reference tables in the Security Update Deployment section for the location of the file information details.
I am using an older release of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, visit the Microsoft Support Lifecycle Web site.
It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Lifecycle Supported Service Packs.
Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.
Vulnerability Information
Severity Ratings and Vulnerability Identifiers
The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the September bulletin summary. For more information, see Microsoft Exploitability Index.
Affected Software | ASP.NET Padding Oracle Vulnerability - CVE-2010-3332 | Aggregate Severity Rating |
---|---|---|
Microsoft .NET Framework 1.1 Service Pack 1 | ||
Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows XP Service Pack 3 | Important Information Disclosure | Important |
Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows XP Professional x64 Edition Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2003 Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows Server 2003 x64 Edition Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows Server 2003 Itanium-based Edition Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows Vista Service Pack 1 and Windows Vista Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2** | Important Information Disclosure | Important |
Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2** | Important Information Disclosure | Important |
Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 2.0 Service Pack 1 | ||
Microsoft .NET Framework 2.0 Service Pack 1 on Windows Vista Service Pack 1 | Important Information Disclosure | Important |
Microsoft .NET Framework 2.0 Service Pack 1 on Windows Vista x64 Edition Service Pack 1 | Important Information Disclosure | Important |
Microsoft .NET Framework 2.0 Service Pack 1 on Windows Server 2008 for 32-bit Systems** | Important Information Disclosure | Important |
Microsoft .NET Framework 2.0 Service Pack 1 on Windows Server 2008 for x64-based Systems** | Important Information Disclosure | Important |
Microsoft .NET Framework 2.0 Service Pack 1 on Windows Server 2008 for Itanium-based Systems | Important Information Disclosure | Important |
Microsoft .NET Framework 2.0 Service Pack 2 | ||
Microsoft .NET Framework 2.0 Service Pack 2 when installed on Windows XP Service Pack 3 | Important Information Disclosure | Important |
Microsoft .NET Framework 2.0 Service Pack 2 when installed on Windows XP Professional x64 Edition Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 2.0 Service Pack 2 when installed on Windows Server 2003 Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 2.0 Service Pack 2 when installed on Windows Server 2003 x64 Edition Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 2.0 Service Pack 2 when installed on Windows Server 2003 with SP2 for Itanium-based Systems | Important Information Disclosure | Important |
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Vista Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Vista x64 Edition Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2** | Important Information Disclosure | Important |
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2** | Important Information Disclosure | Important |
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for Itanium-based Systems Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 | ||
Microsoft .NET Framework 3.5 when installed on Windows XP Service Pack 3 | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 when installed on Windows XP Professional x64 Edition Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 when installed on Windows Server 2003 Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 when installed on Windows Server 2003 x64 Edition Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 when installed on Windows Server 2003 with SP2 for Itanium-based Systems | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 when installed on Windows Vista Service Pack 1 and Windows Vista Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 when installed on Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 when installed on Windows Server 2008 for 32-bit Systems** | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 when installed on Windows Server 2008 for x64-based Systems** | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 when installed on Windows Server 2008 for Itanium-based Systems | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 Service Pack 1 | ||
Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows XP Service Pack 3 | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows XP Professional x64 Edition Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows Server 2003 Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows Server 2003 x64 Edition Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows Server 2003 with SP2 for Itanium-based Systems | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows Vista Service Pack 1 and Windows Vista Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2** | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2** | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5.1 | ||
Microsoft .NET Framework 3.5.1 on Windows 7 for 32-bit Systems | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5.1 on Windows 7 for x64-based Systems | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems* | Important Information Disclosure | Important |
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for Itanium-based Systems | Important Information Disclosure | Important |
Microsoft .NET Framework 4.0 | ||
Microsoft .NET Framework 4.0 on Windows XP Service Pack 3 | Important Information Disclosure | Important |
Microsoft .NET Framework 4.0 on Windows XP Professional x64 Edition Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 4.0 on Windows Server 2003 Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 4.0 on Windows Server 2003 x64 Edition Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 4.0 on Windows Server 2003 with SP2 for Itanium-based Systems | Important Information Disclosure | Important |
Microsoft .NET Framework 4.0 on Windows Vista Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 4.0 on Windows Vista x64 Edition Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 4.0 on Windows Server 2008 for 32-bit Systems Service Pack 2** | Important Information Disclosure | Important |
Microsoft .NET Framework 4.0 on Windows Server 2008 for x64-based Systems Service Pack 2** | Important Information Disclosure | Important |
Microsoft .NET Framework 4.0 on Windows Server 2008 for Itanium-based Systems Service Pack 2 | Important Information Disclosure | Important |
Microsoft .NET Framework 4.0 on Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1 | Important Information Disclosure | Important |
Microsoft .NET Framework 4.0 on Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1 | Important Information Disclosure | Important |
Microsoft .NET Framework 4.0 on Windows Server 2008 R2 for x64-based Systems | Important Information Disclosure | Important |
Microsoft .NET Framework 4.0 on Windows Server 2008 R2 for x64-based Systems Service Pack 1* | Important Information Disclosure | Important |
Microsoft .NET Framework 4.0 on Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 | Important Information Disclosure | Important |
*Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.
**Server Core installation not affected. The vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, when installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.
ASP.NET Padding Oracle Vulnerability - CVE-2010-3332
An information disclosure vulnerability exists in ASP.NET due to improper error handling during encryption padding verification. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system. In Microsoft .NET Framework 3.5 Service Pack 1 and above, this vulnerability can also be used by an attacker to retrieve the contents of any file within the ASP.NET application, including web.config.
To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2010-3332.
Mitigating Factors for ASP.NET Padding Oracle Vulnerability - CVE-2010-3332
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:
- Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.
Workarounds for ASP.NET Padding Oracle Vulnerability - CVE-2010-3332
Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:
Enable a UrlScan or Request Filtering rule, enable ASP.NET custom errors, and map all error codes to the same error page
Enabling the customErrors feature of ASP.NET and explicitly configuring applications to always return the same error page, regardless of the error encountered on the server, can make it more difficult for an attacker using the current exploit to distinguish between the different types of errors that occur on a server.
On systems using the .NET Framework version 3.5 Service Pack 1 and above, the workaround provides further protection by also helping to protect against the timing attack portion of the current exploit. The workaround uses the redirectMode="ResponseRewrite" option in the customErrors feature, and introduces a random delay in the error page. These approaches work together to make it more difficult for an attacker to deduce the type of error that occurred on the server by measuring the time it took to receive the error.
Additionally, this workaround requires blocking requests that specify the application error path on the querystring. This can be done using URLScan, a free tool for Internet Information Services (IIS) that can selectively block requests based on rules defined by the administrator. If your system is running Internet Information Services (IIS) on Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7, or Windows Server 2008 R2, you can alternatively use the Request Filtering feature.
Block requests that modify ASP.Net application error path on the request querystring
Using UrlScan:
Download and install UrlScan 3.1. For further instructions on configuring and using UrlScan, see UrlScan 3 Reference.
Modify UrlScan.ini (found in %windir%\system32\inetsrv\urlscan). Insert the following line under the [DenyQueryStringSequences] section of the Urlscan.ini file:
aspxerrorpath=
After you do so, the [DenyQueryStringSequences] section should look similar to this (additional lines in the section are okay and do not affect the workaround):
[DenyQueryStringSequences] aspxerrorpath=
- Run iisreset from a command prompt while logged in as an administrator.
Using IIS request filtering:
These instructions are an alternative for the UrlScan instructions above for systems running IIS on Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7, or Windows Server 2008 R2.
Install the Request Filtering feature in IIS through either Add/Remove Programs or Role Manger by selecting the feature under Internet Information Services, World Wide Web Services, Security.
Launch Internet Information Services (IIS) Manager.
Select the server node in the left pane.
Double-click Request Filtering.
Select the Query Strings tab and click Deny Query String … in the Actions pane.
Enter aspxerrorpath= in the dialog box and select OK.
Alternatively, you can also use the following appcmd command to set this request querystring:
appcmd set config /section:requestfiltering /+denyQueryStringSequences.[sequence='aspxerrorpath=']
For more information on using appcmd to configure IIS, see Getting Started with AppCmd.exe.
Configure ASP.Net applications to use uniform custom errors
In the root folder of each ASP.NET web application, determine if you already have a web.config file in this folder. You must have rights to create a file in the target directory to implement this workaround.
If the ASP.NET application does not have a web.config file:
On .NET Framework 3.5 and earlier
- Create a text file named web.config in the root folder of the ASP.NET application, and insert the following contents:
<configuration>
2. Create a text file named **error.html** containing a generic error message and save it in the root folder of the ASP.NET application.
3. Alternatively, you can rename error.html in the **web.config** file to point to an existing error page, but that page must display generic content, not context-specific content.
**On .NET Framework 3.5 Service Pack 1 and later**
1. Create a text file named **web.config** in the root folder of the ASP.NET application, and insert the following contents:
```
<configuration>
```
2. If you are comfortable using C\#, we recommend using the following **ErrorPage.aspx** file:
```
<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>
```
```
<script runat="server">
void Page_Load() {
byte[] delay = new byte[1];
RandomNumberGenerator prng = new RNGCryptoServiceProvider();
prng.GetBytes(delay);
Thread.Sleep((int)delay[0]);
IDisposable disposable = prng as IDisposable;
if (disposable != null) { disposable.Dispose(); }
}
</script>
```
```
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
```
```
<html xmlns="https://www.w3.org/1999/xhtml">