ASP.NET MVC Security Bulletin MS14-059 ships to help secure .NET NuGet Libraries

Microsoft Security Bulletin MS14-059 – Important: Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass (2990942)

This is the first release from Microsoft that uses Security Updates for .NET NuGet Libraries Support. This feature enables Microsoft to update app-deployed .NET NuGet libraries, for machines with the .NET Framework 4.5.1 or later version installed. This security bulletin was released on 10/14/2014 as part of the monthly “patch Tuesday”.

This security update is rated “Important” for the ASP.NET MVC 2.0, ASP.NET MVC 3.0, ASP.NET MVC 4.0, ASP.NET MVC 5.0, and ASP.NET MVC 5.1. All potentially impacted applications and machines, should install or deploy this update.

  • The vulnerability could allow security feature bypass if an attacker convinces a user to click a specially crafted link or to visit a webpage that contains specially crafted content designed to exploit the vulnerability 

Security Update Deployment Options:

  1. Automatic Update via Microsoft Update
    1. Installing the MS14-059 patch will secure the machine and all applications hosted on the machine.
    2. Patches will be pushed to all machines with automatic updating enabled if either of the following two criteria are met:
      1.  MVC 2.0, MVC 3.0, or MVC 4.0 is installed, or
      2. The system is running Microsoft .NET Framework 4.5.1 and an application with the affected component (System.Web.Mvc.dll for ASP.NET MVC 2.0, 3.0, 4.0, 5.0, and 5.1) has been previously loaded
  2. Manual install of the MS14-059 patch for customers with Automatic Update disabled, do not meet the above Microsoft Update criteria, or are unsure if their machine is secure
    1. Installing the MS14-059 patch will secure the machine and all applications hosted on the machine.
    2. Customers can check for updates using the Microsoft Update service, or can install the patch directly from Microsoft Download Center (KB2990942)
  3. Updated NuGet packages have been published to NuGet.org for MVC 3.0, MVC 4.0, MVC 5.0, MVC 5.1 to address this security vulnerability
    1. It is recommended that all customers who do not control their server should redeploy each application after downloading and installing the updated NuGet packages.
    2. It is also recommended that customers update apps to use the updated versions of these NuGet packages to ensure that they are testing with those versions.
    3. For more information on the released ASP.NET MVC NuGet packages, please review the Security Update Deployment section of the MS14-059 bulletin
    4. For more information about managing NuGet Packages using the NuGet dialog, see Managing NuGet Packages Using the Dialog.

There are some known issues with this update where some ASP.NET MVC 3 and ASP.NET MVC 4 project can no longer build in Microsoft Visual Studio after the update is applied.

 What does the update do to my system and how is my MVC application affected? 

  • For MVC 2.0, 3.0, 4.0, 5.0, and 5.1, the MSI update installs the fixed assembly (System.Web.Mvc.dll) in the GAC. Vulnerable versions of the assembly (System.Web.Mvc.dll) that were deployed with applications are overridden by the secure version in the GAC.
  • For MVC 3.0 and MVC 4.0, it is possible to install the vulnerable  version of System.Web.Mvc.dll in the GAC. The fixed version is installed in the GAC with a higher version number and accompanying publisher policy that redirects previous versions of the assembly to the new version. 

More details about this vulnerability and can be found in the security bulletin MS14-059. Please refer to the “Update FAQ” of the security bulletin to better understand how Microsoft security updates for .NET NuGet Libraries are supported. Please refer to the “Security Update Deployment” for more information on NuGet packages and deployment and patch details.