Out Of Band Security Update for ASP.NET
Today, as part of Microsoft’s ongoing commitment to protect its customers with security updates and the latest guidance on the threat landscape, the company is releasing MS10-070 as an out-of-band security update. The update addresses a vulnerability in ASP.NET, as described in Security Advisory 2416728, and carries a maximum severity rating of Important and an Exploitability Index rating of 1. As outlined in the advisory, the vulnerability affects ASP.NET framework on Windows XP, Windows Vista, Windows 7, and Windows Server 2003 and 2008 and Windows Server 2008 R2.
Microsoft recommends that its customers deploy the update as soon as possible to help protect their computers from criminal attacks. Please see the Microsoft Security Response Center (MSRC) blog for more details.
As always, please let us know if you have any questions!
What is the purpose of this alert? |
This alert is to provide you with an overview of the new security bulletin being released (out-of-band) on September 28, 2010.
New Security Bulletin Overview
Microsoft is releasing one new security bulletin (out-of-band) for newly discovered vulnerabilities:
|
|
|
|
|
|
|
|
| |||||
Executive Summary
This security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.
This security update is rated Important for all supported editions of ASP.NET except Microsoft .NET Framework 1.0 Service Pack 3. The security update addresses the vulnerability by additionally signing all data that is encrypted by ASP.NET.
This security update also addresses the vulnerability first described in Microsoft Security Advisory 2416728.
Public Bulletin Webcast
Microsoft will host a webcast to address customer questions on this bulletin:
Title: Information about Microsoft’s September 2010 (OOB) Security Bulletin Release (Level 200)
Date: Tuesday, September 28, 2010, 1:00 P.M. Pacific Time (U.S. and Canada)
URL: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032464130
Public Resources Related to This Alert
· Security Bulletin MS10-070 – Vulnerability in ASP.NET Could Allow Information Disclosure (2418042): https://www.microsoft.com/technet/security/bulletin/MS10-070.mspx
· Security Advisory 2416728 – Vulnerability in ASP.NET Could Allow Information Disclosure: https://www.microsoft.com/technet/security/advisory/2416728.mspx
· Microsoft Security Response Center (MSRC) Blog: https://blogs.technet.com/msrc/
· Microsoft Security Research & Defense (SRD) Blog: https://blogs.technet.com/srd/
· Microsoft Malware Protection Center (MMPC) Blog: https://blogs.technet.com/mmpc/
New Security Bulletin Technical Details
In the following tables of affected and non-affected software, software editions that are not listed are past their support lifecycle. To determine the support lifecycle for your product and edition, visit the Microsoft Support Lifecycle web site at https://support.microsoft.com/lifecycle/.
|
|
| |
|
|
| |
|
|
| |
|
|
| |
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
|
| |
|
|
| |
|
|
| |
|
| ||