Threat Level: green Handler on Duty: Tom Webb

SANS ISC: MS10-070 OOB Patch for ASP.NET vulnerability SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MS10-070 OOB Patch for ASP.NET vulnerability
@Seccubus Thanks for that great summary of the webcast! Really helpful!
Patk7

9 Posts
Weird thing about the patch downloads. When you click on the download for .NET 2.0 SP2, the page that appears is a download page for 2.0 SP2 AND 3.5 SP1. (but the files being installed are shown as version 2.0.xxxxxx).

But if you click on the download for .NET 3.5 SP1, a separate download appears, targeted at only 3.5 SP1.

That's what I hate about manual downloads, we have to make assumptions about the patch logic. I have a server that has both 2.0 SP2 and 3.5 SP1 installed. My assumption is I install the first patch, then the second...
Patk7

9 Posts
I'm seeing normal updates for .net now at Microsoft Update.
Patk7
4 Posts
According to http://www.troyhunt.com/2010/09/do-you-trust-your-hosting-provider-and.html (thanks Troy!), how to check whether your ISP has patched your webshop server, enter the following URL in you favorite webbrowser (adjust the hostname, the rest is fine):

http://www.example.com/WebResource.axd?d=zt87v2JeCPKYzqUfGEffpA2

Before patching, if publicly disclosing errors was _not_ disabled (which seems typical), you'll see:
____"Error: Padding is invalid and cannot be removed"____
accompanied by a lot of error-message-chatter mentioning "rijndael", "encrypt", "decrypt" etc. In that case, _after_ patching, you'll see:
____"Error: This is an invalid webresource request"____
and nothing that refers to crypto.

Obviously you'll not be the only one firing such URL's at your webshop. Anxious customers might, and perhaps a couple of scriptkiddies (so expect some extra log lines)...

BTW an ASP.NET server (W2K3) I patched today (.NET 1.1, 2.0 and 3.5) behaved exactly as described above, without any reboots after installing the applicable patches.

If you still think your ASP.NET site (in particular DotNetNuke-based) doesn't need patching, check this out:
Title: POET vs ASP.NET: don't waste time implementing useless workarounds - you should patch ;-)
Movie: http://www.youtube.com/watch?v=mP6mKLh1FBw

Although the POET version that attacks ASP.NET has (AFAIK) not yet been publicly released, others are building similar exploits, some of which _are_ publicly released. For example, see http://www.immunityinc.com/ceu-index.shtml (source: http://twitter.com/nicowaisman) and http://www.gdssecurity.com/l/b/2010/09/28/new-version-of-padbuster-available-for-download/

Personally I wouldn't have changed InfoCon back to green. This might get messy soon...
Erik van Straten

125 Posts
Scott Gu's page referenced above mentions selecting the patches based on the "versions" of .NET you are running, so, yes, you do need to install multiple patches on one server if you're running multiple .NET framework versions. He indicates this is even true for 3.5 and 3.5sp1, that you need to install patches for both apparently if you're running 3.5sp1.

In that case he says order is not relevant; I imagine that applies to all issues of patching order for disparate .NET versions, but it's not perfectly clear.

packetdude

22 Posts
Anyone know why they'd release the .NET patches to workstations? WSUS is telling me that every workstation qualifies for one or more of these patches, even though none of them run IIS (except a few in our software development dept). Any ideas?
packetdude
8 Posts
@GDub the patch is a patch for a .net net flaw, not actually specifically for ASP.Net, although that is the only place this vulnerability actually manifests itself. Any patched .net install that has IIS added (and yes, you can add IIS to a workstation) will expose this vulnerability. Hence MS took the (IMHO correct) decision that all .net installs with the vulnerability should be patched.
packetdude
10 Posts

Sign Up for Free or Log In to start participating in the conversation!