Microsoft ASP.NET Vulnerability

( Microsoft Bulletin MS10-070, Microsoft Advisory 2416728 , CVE-2010-3332 )

Summary

Microsoft released a Security Advisory on September 17, 2010 that concerns an unpatched vulnerability in ASP.NET that could allow an attacker to view and modify data encrypted by a server that delivers ASP.NET content, and subsequently obtain sensitive data stored on that server such as passwords and other confidential content.

Details

ASP.NET is a Microsoft web application framework that allows programmers to create dynamic web sites, web applications, and web services.
A vulnerability in ASP.NET’s encryption implementation can allow a malicious attacker to decrypt and tamper with sensitive data contained in an ASP.NET application. The attacker could send this modified data back to the server and observe the error codes returned by the server. By observing these error codes, an attacker could gain enough information to obtain the contents of an arbitrary file within the ASP.NET application.

Affected Products

This vulnerability exists in the .NET Framework components of several versions of Windows XP, Windows Server 2003 and 2008, Windows Vista, and Windows 7. Please consult the Microsoft Advisory for details.

Solution

Microsoft released an out-of-band security update, described in MS10-070, on September 28, 2010. Check Point IPS Software Blade , IPS-1, and SmartDefense have provided network protection against this vulnerability since September 19 by detecting and blocking multiple HTTP error responses. For more information, see SBP-2010-24.

Published September 21, 2010
Updated September 28, 2010