Vulnerability in ASP.NET Could Allow Information Disclosure

Microsoft is investigating a new public report of a vulnerability in ASP.NET. An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config. This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server. Microsoft is aware of limited, active attacks at this time.

Microsoft are actively working with partners in Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Affected Software

Operating System

Component

Windows XP  

Windows XP Media Center Edition 2005 and Windows XP Tablet PC Edition 2005

Microsoft .NET Framework 1.0 SP 3

Windows XP SP 3

Microsoft .NET Framework 1.1 SP 1
Microsoft .NET Framework 2.0 SP 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 SP 1
Microsoft .NET Framework 4.0

Windows XP Professional x64 Edition SP 2

Microsoft .NET Framework 1.1 SP 1
Microsoft .NET Framework 2.0 SP 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 SP 1
Microsoft .NET Framework 4.0

Windows Server 2003  

Windows Server 2003 SP 2

Microsoft .NET Framework 1.1 SP 1
Microsoft .NET Framework 2.0 SP 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 SP 1
Microsoft .NET Framework 4.0

Windows Server 2003 x64 Edition SP 2

Microsoft .NET Framework 1.1 SP 1
Microsoft .NET Framework 2.0 SP 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 SP 1
Microsoft .NET Framework 4.0

Windows Server 2003 with SP2 for Itanium-based Systems

Microsoft .NET Framework 1.1 SP 1
Microsoft .NET Framework 2.0 SP 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 SP 1
Microsoft .NET Framework 4.0

Windows Vista  

Windows Vista SP 1

Microsoft .NET Framework 1.1 SP 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 SP 1
Microsoft .NET Framework 4.0

Windows Vista SP 2

Microsoft .NET Framework 1.1 SP 1
Microsoft .NET Framework 3.5 SP 1
Microsoft .NET Framework 4.0

Windows Vista x64 Edition SP 1

Microsoft .NET Framework 1.1 SP 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 SP 1
Microsoft .NET Framework 4.0

Windows Vista x64 Edition SP 2

Microsoft .NET Framework 1.1 SP 1
Microsoft .NET Framework 3.5 SP 1
Microsoft .NET Framework 4.0

Windows Server 2008  

Windows Server 2008 for 32-bit Systems**

Microsoft .NET Framework 1.1 SP 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 SP 1
Microsoft .NET Framework 4.0

Windows Server 2008 for 32-bit Systems SP 2**

Microsoft .NET Framework 1.1 SP 1
Microsoft .NET Framework 3.5 SP 1
Microsoft .NET Framework 4.0

Windows Server 2008 for x64-based Systems**

Microsoft .NET Framework 1.1 SP 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 SP 1
Microsoft .NET Framework 4.0

Windows Server 2008 for x64-based Systems SP 2**

Microsoft .NET Framework 1.1 SP 1
Microsoft .NET Framework 3.5 SP 1
Microsoft .NET Framework 4.0

Windows Server 2008 for Itanium-based Systems

Microsoft .NET Framework 1.1 SP 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 SP 1
Microsoft .NET Framework 4.0

Windows Server 2008 for Itanium-based Systems SP 2

Microsoft .NET Framework 1.1 SP 1
Microsoft .NET Framework 3.5 SP 1
Microsoft .NET Framework 4.0

Windows 7  

Windows 7 for 32-bit Systems

Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.0

Windows 7 for x64-based Systems

Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.0

Windows Server 2008 R2  

Windows Server 2008 R2 for x64-based Systems*

Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.0

Windows Server 2008 R2 for Itanium-based systems

Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.0

*Server Core installation affected. This vulnerability applies, with the same severity rating, to supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.

**Server Core installation not affected. This vulnerability does not affect supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, when installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.

Tek-Tips

,

No comments yet.

Leave a Reply


*