ASP.NET Security Vulnerability – help your customers protect their applications

Yesterday we released a Microsoft Security Advisory about a security vulnerability in ASP.NET. This vulnerability exists in all versions of ASP.NET (regardless of the version of Windowson which it is running). The vulnerability exposes application components as well as application data that can compromise the application.

This vulnerability was publically disclosed late Sep 17, 2010 at a security conference.

We recommend that all customers immediately apply a workaround (described in Scott Gutherie's blog) to prevent attackers from using this vulnerability against their ASP.NET applications.

Microsoft is working on an update to ASP.NET that we will release via Windows Update (and will also be available through WSUS) once it has been thoroughly tested and is ready for broad distribution. Note that the workarounds are temporary - and will not be required once the update fixes the vulnerability in the underlying products. They are intended to provide steps application owners can take immediately to protect their application until the update is available.

What does it mean to Shared Web hosting providers?

If one follows the best practices of implementing shared hosting on Windows, then the vulnerability impact will be limited to the impacted hosted application. You can assess which applications are exposed by running a .vbs script on the server that will identify exposed applications. We recommend that you urge the application administrators to apply the workaround to protect their applications. Once an ASP.NET fix is available, the workaround will not be required anymore.

What does it mean to ASP.NET based SAAS solution providers?

Any solution that is based on ASP.NET might be exposed to the vulnerability. Follow the guidelines in ScottGu's blog to apply a workaround. Once an ASP.NET fix is available and the hosting machine is updated, the workaround will not be required anymore.

What does it mean for virtual and dedicated server hosting?

To the extent that virtual server application is an ASP.NET app, it might be exposed to the vulnerability, it is advised to contact the application administrators and urge them to apply the workaround. Once an ASP.NET fix is available, the virtual operating system image administrator will need to update the server for a permanent fix.

You can learn more on the issue and how to resolve it in the FAQ for the ASP.net security vulnerability.

Thank you,

Microsoft Hosting Team