Security Advisory 2416728 (Vulnerability in ASP.NET) and SharePoint
**< Updated 29/sept/2010 >**
Out of Band Release to Address Microsoft Security Advisory 2416728
27 Sep 2010 7:13 PM rriley
x-post from the Microsoft Security Response Center blog.
Today we provided advance notification to customers that we will release an out-of-band security update to address the vulnerability discussed in Security Advisory 2416728. The update is scheduled for release tomorrow, Tuesday, September 28, 2010 at approximately 10:00 AM PDT. The bulletin has a severity rating of Important and addresses a publicly disclosed vulnerability in ASP.NET that affects all versions of the .NET Framework when used on Windows Server operating systems. Windows desktop systems are listed as affected, but consumers are not vulnerable unless they are running a Web server from their computer.
Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers as we have seen limited attacks and continued attempts to bypass current defenses and workarounds.
The security update is fully tested and ready for release, but will be made available initially only on the Microsoft Download Center. This enables us to get the update out as quickly as possible, allowing administrators with enterprise installations, or end users who want to install this security update manually, the ability to test and update their systems immediately. We strongly encourage these customers to visit the Download Center, download the update, test it in their environment and deploy it as soon as possible.
The update will also be released through Windows Update and Windows Server Update Services within the next few days as we test to make sure distribution will be successful through these channels. This approach allows us to release sooner to customers who may choose to deploy it manually without delaying for broader distribution.
For customers using Automatic Update, this Security Update will automatically be applied once it is released broadly. Once the Security Update is applied, customers are protected against known attacks related to Security Advisory 2416728.
We will also hold a special edition webcast for the bulletin release on Tuesday, September 28, 2010 at 1:00 PM PDT, where we will present information on the bulletin and take customer questions. If you are interested in attending the webcast, click here to sign up.
ASP.NET Security Update Shipping Tuesday, Sept 28th – Scott Guthrie’s blog.
Out of Band Release to Address Microsoft Security Advisory 2416728 – Microsoft Security Response Center
Microsoft Security Bulletin Advance Notification for September 2010 – TechNet Security Bulletin
** </Updated 29/sept/2010 >**
** Updated 21/sept/2010 11:05PM *** – Updated with workaround for SharePoint Server 2007 and Windows SharePoint Services 3.0 and updated SharePoint 2010 workaround.
** Updated 21/sept/2010 3:06PM *** – Included details for previous releases and workaround for WSS 2.0
Please note the important change from the 3:06PM update to this blog post.
We originally stated that SharePoint Server 2007 and Windows SharePoint Services 3.0 did not require the workaround to be applied, however, we have recently discovered through testing that a variant of the issue does affect SharePoint Server 2007 and Windows SharePoint Services 3.0 and also requires extra steps in the workaround for SharePoint Server 2010 (Steps 5-9).
Customers with these versions should refer to the relevant workaround as shown in the SharePoint Team blog. We will continue to keep this post updated with the latest guidance.
We recently released a Microsoft Security Advisory about a security vulnerability in ASP.NET. This post documents recommended workarounds for the following SharePoint products:
- SharePoint 2010
- SharePoint Foundation 2010
- Windows SharePoint Services 2.0
Workarounds are not necessary for the following products:
- Microsoft Office SharePoint Server 2007
- Windows SharePoint Services 3.0
- SharePoint Portal Server 2003
For more info refer to Richard Riley’s post on SharePoint Team blog.