Patch Tuesday Security Bulletins September 2010 Out-of-Band | eEye Digital Security

Login to the Business Client Portal

Shop for eEye Products

Read the eEye Blog

Subscribe to eEye RSS Feeds

Follow eEye on Twitter

Follow eEye on Facebook

Your Company

Microsoft Patch Disclosure September 28th, 2010 Overview Today, Microsoft released a special out-of-band patch which repairs a vulnerability in ASP.NET that could allow information disclosure. Both eEye's Blink® Professional and Blink® Personal Endpoint Security solutions protect from memory-corruption vulnerabilities generically without the need for any updates.	Attend our upcoming Vulnerability Expert Forum for complete analysis of recent critical vulnerabilities Presenter: The eEye Research Team Date/Time: Wednesday October 13th at 11am PDT / 2pm EDT Register Now >>
Patch Precedence Please note, Microsoft will NOT initially be issuing patches through normal automatic updates. The patches will need to be installed manually through the Microsoft Download Center. After further testing done by Microsoft, they will release the security update through the normal distribution methods. eEye suggests that all users with Microsoft IIS servers apply this Out-of-Band patch immediately. Those using the VIEWSTATE function should test the impact of this patch on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of all patches, please consider attending next month's Vulnerability Expert Forum hosted by the eEye Security Research Team. For more information on patch precedence, see the eEye Versa Newsletter article Patch Tuesday Prioritization for a Large Enterprise.
Bulletin/Advisory Summary Important MS10-070 - Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)
Bulletin/Advisory Details MS10-070 Vulnerability in ASP.NET Could Allow Information Disclosure (2418042) Microsoft Severity Rating: Important eEye Severity Rating: Critical Description This security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability. The security update addresses the vulnerability by additionally signing all data that is encrypted by ASP.NET. ASP.NET Padding Oracle Vulnerability - CVE-2010-3332 An information disclosure vulnerability exists in ASP.NET due to improper error handling during encryption padding verification. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system. In Microsoft .NET Framework 3.5 Service Pack 1 and above, this vulnerability can also be used by an attacker to retrieve the contents of any file within the ASP.NET application, including web.config. Analysis This vulnerability is exploited by an attacker repeatedly sending and modifying HTTP requests to a web server. Depending on the error returned, the attacker can deduce which encryption scheme the server is using and thus read and write encrypted requests. This can be done within 40 minutes and allows an attacker to send spoofed requests to ScriptResource.axd and request the contents of a file stored on the server. The server receives the malicious encrypted text, which would be used to compromise the server. Recommendations If you are using Microsoft IIS for a web server, install the patch immediately. Until the patch has been installed, administrators should configure servers to only respond with a single error page, meaning that all server errors should return the same error page so that an attacker would not be able to determine which part of their request was deciphered properly. In addition to this, modify the Page_Load() function within the custom error page to pause for a short random sleep delay before sending the error response. Administrators should watch for errors with the following message: "CryptographicException” and/or “Padding is invalid and cannot be removed” as these could be an indicator that an attacker may be trying to exploit this vulnerability against an IIS server.
Feedback The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to newsletter@eeye.com. Disclaimer The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Notice Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email newsletter@eeye.com for permission.
www.eeye.com \| sales@eeye.com \| 111 Theory, Suite 250, Irvine, CA 92617 \| 866.339.3732

Contact | Site Map | Privacy | Website Feedback | 1.866.339.3732

© 1998 – 2012 eEye Digital Security. All rights reserved.