Archive

Archive for the ‘.NET’ Category

Microsoft Bounty Programs Expansion – .NET Core and ASP.NET Beta Bounty

October 20th, 2015 No comments

Today, I have another exciting expansion of the Microsoft Bounty Programs to announce. Please visit https://aka.ms/bugbounty to find out more. I’ll be discussing this new bounty in my talk at SyScan360 on October 21, 2015. We are delighted to offer a bounty for the .NET Core and ASP.NET Beta which Microsoft released earlier this month.

.NET and ASP.NET represent critical building blocks in the Visual Studio Development Suite. This bounty is particularly interesting because the libraries and functions included in .NET enable developers to write their own programs with great security and stability, increasingly on many Operating Systems. This will extend to all supported platforms, initially including Linux and OS X, with some current exclusions to non-Windows platforms. You can find more information in the FAQs, .NET program terms and the .NET team’s blog. The highlights are as follows:

  • .NET Core and ASP.NET Beta 8 and any subsequent Betas or Release Candidates during the bounty period

  • Presently includes supported platforms on Windows, OS X and Linux

  • The bounty will run October 20, 2015 – January 20, 2016

  • Bounty payouts will range from $500 USD to $15,000 USD

These additions to the Microsoft Bounty Program will be part of the rigorous security programs at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.

As always, the most up-to-date information about the Microsoft Bounty Programs can be found at https://aka.ms/BugBounty and in the associated terms and FAQs.

Happy Hacking!

Jason Shirk

Categories: .NET, ASP.NET, Bounty Programs Tags:

Microsoft Bounty Programs Expansion – .NET Core and ASP.NET Beta Bounty

October 20th, 2015 No comments

Today, I have another exciting expansion of the Microsoft Bounty Programs to announce. Please visit https://aka.ms/bugbounty to find out more. I’ll be discussing this new bounty in my talk at SyScan360 on October 21, 2015. We are delighted to offer a bounty for the .NET Core and ASP.NET Beta which Microsoft released earlier this month.

.NET and ASP.NET represent critical building blocks in the Visual Studio Development Suite. This bounty is particularly interesting because the libraries and functions included in .NET enable developers to write their own programs with great security and stability, increasingly on many Operating Systems. This will extend to all supported platforms, initially including Linux and OS X, with some current exclusions to non-Windows platforms. You can find more information in the FAQs, .NET program terms and the .NET team’s blog. The highlights are as follows:

  • .NET Core and ASP.NET Beta 8 and any subsequent Betas or Release Candidates during the bounty period

  • Presently includes supported platforms on Windows, OS X and Linux

  • The bounty will run October 20, 2015 – January 20, 2016

  • Bounty payouts will range from $500 USD to $15,000 USD

These additions to the Microsoft Bounty Program will be part of the rigorous security programs at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.

As always, the most up-to-date information about the Microsoft Bounty Programs can be found at https://aka.ms/BugBounty and in the associated terms and FAQs.

Happy Hacking!

Jason Shirk

Categories: .NET, ASP.NET, Bounty Programs Tags:

Microsoft Bounty Programs Expansion – .NET Core and ASP.NET Beta Bounty

October 20th, 2015 No comments

Today, I have another exciting expansion of the Microsoft Bounty Programs to announce. Please visit https://aka.ms/bugbounty to find out more. I’ll be discussing this new bounty in my talk at SyScan360 on October 21, 2015. We are delighted to offer a bounty for the .NET Core and ASP.NET Beta which Microsoft released earlier this month.

.NET and ASP.NET represent critical building blocks in the Visual Studio Development Suite. This bounty is particularly interesting because the libraries and functions included in .NET enable developers to write their own programs with great security and stability, increasingly on many Operating Systems. This will extend to all supported platforms, initially including Linux and OS X, with some current exclusions to non-Windows platforms. You can find more information in the FAQs, .NET program terms and the .NET team’s blog. The highlights are as follows:

  • .NET Core and ASP.NET Beta 8 and any subsequent Betas or Release Candidates during the bounty period

  • Presently includes supported platforms on Windows, OS X and Linux

  • The bounty will run October 20, 2015 – January 20, 2016

  • Bounty payouts will range from $500 USD to $15,000 USD

These additions to the Microsoft Bounty Program will be part of the rigorous security programs at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.

As always, the most up-to-date information about the Microsoft Bounty Programs can be found at https://aka.ms/BugBounty and in the associated terms and FAQs.

Happy Hacking!

Jason Shirk

Categories: .NET, ASP.NET, Bounty Programs Tags:

September 2014 Security Bulletin Release Webcast and Q&A

September 13th, 2014 No comments

Today we’re publishing the September 2014 Security Bulletin Webcast Questions & Answers page.  We fielded four questions on various topics during the webcast, with specific bulletin questions focusing primarily on Internet Explorer (MS14-052) and a question about the Windows Update client.  

We invite you to join us for the next scheduled webcast on Wednesday, October 8, 2014, at 11 a.m. PDT (UTC -7), when we will go into detail about the October bulletin release and answer your bulletin deployment questions live on the air. 

Thanks,

Dustin Childs

Group Manager, Response Communications Microsoft Trustworthy Computing

September 2014 Security Bulletin Release Webcast and Q&A

September 13th, 2014 No comments

Today we’re publishing the September 2014 Security Bulletin Webcast Questions & Answers page.  We fielded four questions on various topics during the webcast, with specific bulletin questions focusing primarily on Internet Explorer (MS14-052) and a question about the Windows Update client.  

We invite you to join us for the next scheduled webcast on Wednesday, October 8, 2014, at 11 a.m. PDT (UTC -7), when we will go into detail about the October bulletin release and answer your bulletin deployment questions live on the air. 

Thanks,

Dustin Childs

Group Manager, Response Communications Microsoft Trustworthy Computing

Pennybridge förenklar välgörenhet med .net

December 11th, 2013 No comments

Att utveckla en egen plattformslösning skulle ta för lång tid tyckte insamlingsföretaget Pennybridge. Valet föll på .net – ett ramverk med kort utvecklingstid.

Svenska Pennybridge startar sin nya verksamhet som ger privatpersoner och snart även företag en plattform för insamling till välgörenhet och föreningsliv. Med hjälp av lösningen kan givarna föra över pengar till olika organisationer vid ett och samma tillfälle, vilket förenklar för givare som vill engagera sig i fler välgörande ändamål.

Bonigi i Huskvarna har hjälpt Pennybridge att utveckla plattformen och Nitma sköter hosting och drift.

Vi var först inne på att bygga tjänsten på en e-handelsplattform, men det visade sig vara en för stor kostym för våra ändamål, säger Daniel Bergqvist, VD på Pennybridge. Med .net kan vi välja de delar av ramverket som passar vårt syfte och vår storlek på tjänsten, samtidigt som det ger oss möjlighet att växa i framtiden.

På sikt räknar Pennybridge med expansion utomlands. Intresset är stort i bland annat USA.

En amerikan skänker fem gånger så mycket som en svensk till välgörenhet. Vi har fått tydliga indikationer på att vår lösning är intressant även utanför vårt lands gränser, säger Daniel Bergqvist.

Att registrera sig på pennybridge.org är gratis. Av de belopp som skänks går 95 procent till respektive välgörenhetsorganisation, de kvarvarande fem procenten tillfaller Pennybridge för att täcka utvecklings- och driftkostnader.

Läs mer om Pennybridge plattformslösning här!

För mer information, vänligen kontakta:

Daniel Bergqvist
VD, Pennybridge
Tel: 0736-26 81 14
daniel@pennybridge.org 

 

 

 

ASP.NET, Web API and ASP.NET Web Pages Open Sourced

March 28th, 2012 No comments

More Open Source goodness from Microsoft today, with the announcement that we are open sourcing ASP.NET MVC 4, ASP.NET Web API, ASP.NET Web Pages v2 (Razor) – all with contributions – under the Apache 2.0 license.

You can find the source on CodePlex, and all the details on Scott Guthrie’s blog.

“We will also for the first time allow developers outside of Microsoft to submit patches and code contributions that the Microsoft development team will review for potential inclusion in the products,” Guthrie says. “We announced a similar open development approach with the Windows Azure SDK last December, and have found it to be a great way to build an even tighter feedback loop with developers – and ultimately deliver even better products as a result.”

You can now browse, sync and build the source tree of ASP.NET MVC, Web API, and Razor here.

In short, as Principal Program Manager Scott Hanselman notes in his blog about all this goodness: Open Source = Increased Investment. ASP.NET is a part of .NET, it will still ship with Visual Studio. It’s the same ASP.NET, managed by the same developers with the same support.

It is also very important to note, as Guthrie points out, that ASP.NET MVC, Web API and Razor will continue to be fully supported Microsoft products that ship both standalone as well as part of Visual Studio (the same as they do today).

“They will also continue to be staffed by the same Microsoft developers that build them today (in fact, we have more Microsoft developers working on the ASP.NET team now than ever before),” he says. “Our goal with today’s announcement is to increase the feedback loop on the products even more, and allow us to deliver even better products. We are really excited about the improvements this will bring.”

CodePlex now Supports Git

March 22nd, 2012 No comments

Great news for our CodePlex community: CodePlex now supports Git!

Git has been one of the top rated requests from the CodePlex community for some time, and giving CodePlex users what they ask for and supporting their open source efforts has always been important to us.

And the goodness continues, as the CodePlex team has a long list of improvements planned.

So, why Git? CodePlex already has Mercurial for distributed version control and TFS (which also supports subversion clients) for centralized version control. The short answer is that the CodePlex community voted, loud and clear, that Git support was critical.

With the addition of Git, CodePlex now has three options when it comes to Open Source project hosting. Projects can now select between TFS, Mercurial, and Git.

Each developer has their own preferences, and for some, centralized version control makes more sense to them. For others, DVCS is the only way to go. We’re equally committed to supporting both these technologies for users.

You can get started today by creating a new project or contribute to an existing project by creating a fork.

For help on getting started with Git on CodePlex, see the help documentation here. If you would like to switch your project to use Git, please contact CodePlex Support with your project information.

For more information on this news, read the CodePlex blog.

New Interoperability Solutions for SQL Server 2012

March 22nd, 2012 No comments

I am excited to share some great news about how we are opening up the SQL Server data platform even further with expanded interoperability support through new tools that allow customers to modernize their infrastructure while maximizing existing investments and extending virtually any data anywhere.

The SQL Server team today introduced several tools that enable interoperability with SQL Server 2012.

These tools help developers to build secure, highly available and high performance applications for SQL Server in .NET, C/C++, Java and PHP, on-premises and in the cloud.

These new tools include a Microsoft SQL Server 2012 Native Client, a SQL Server ODBC Driver for Linux, backward compatibility with ADO.Net and the Microsoft JDBC Driver 4.0 and PHP Driver 3.0.

You can find more information on all this goodness on the SQL Server blog here.

Facebook C# SDK submitted to the Outercurve Foundation

March 20th, 2012 No comments

I am pleased to announce another open source milestone as we continue to deliver on our commitment to Interoperability: today, the Facebook C# SDK was submitted to the Outercurve Foundation’s Data, Languages, and Systems Interoperability gallery.

This project is a set of libraries that enables developers of all Microsoft platforms, as well as Mono, to build applications that integrate with Facebook. The project contains core libraries for authentication and calling Facebook APIs. Additionally, the project contains platform specific helpers such as extension methods for ASP.NET MVC.

The Facebook C# libraries give app developers a stable, small-footprint SDK that enables quick app integration into Facebook. This has allowed mobile and web app developers to quickly create Facebook apps that meet the needs of their customers.

The Facebook C# SDK has had 10 major releases, and has been downloaded more than 115,000 times, proving to be one of the most popular community-driven open source projects in the .Net ecosystem.

The project, which already has a significant user base, was hosted on CodePlex.com but has moved to github, with developer discussions supported on Stack Overflow.

Nathan Totten, Jim Zimmerman and Prabir Shrestha developed the Facebook C# SDK and contributed the project to the Outercurve Foundation, which currently has three galleries and 21 projects, each of which was contributed with funding and resources to support the project and/or gallery for a period of three years.

Of the 225 developers who currently contribute to Outercurve projects, fewer than 45% are employed by Microsoft.

Categories: .NET, Interoperability, Open Source Tags:

December 2011 Out-Of-Band Security Bulletin Webcast Q&A

December 30th, 2011 No comments

Hosts:              Jonathan Ness, Security Development Manager, MSRC

                          Pete Voss, Sr. Response Communications Manager, Trustworthy Computing

Website:         TechNet/Security

Chat Topic:     December 2011 Out-Of-Band Security Bulletin Release

Date:               Thursday, December 29, 2011

Q: How are Denial of Service, Tampering, Information Disclosure orSpoofing issues rated?
A: The Exploitability Index only attempts to rate vulnerabilities that can be leveraged for code execution. Vulnerabilities that could allow denial of service, tampering, information disclosure or spoofing will receive an Exploitability Index rating of “3.” The notes for that particular CVE will also reflect the nature of the vulnerability.

Q: One angle I’m interested in is those Microsoft products that might use forms authentication, such as Exchange 2010 or TMG 2010. If we’re using forms authentication there, does that mean we’re vulnerable?
A:
Any products that are using ASP.NET forms authentication will be secured with this update. This includes SharePoint and Exchange, when they are using ASP.NET forms authentication. If these products are using a Forms Authentication module other than the one provided by ASP.NET, then the issue addressed in this bulletin does not apply to you. 

Q: Why does Windows Update on Windows 2008 servers show this update, but the check-box next to it is un-checked? What is the difference between patches that are checked by default and those that are not checked?
A:
In the case of “Important Updates”, an update that is in the “PENDING” state will be unchecked when you view it in Windows Update. This means it is already queued for downloading. You can manually override this to start the download manually by checking the box next to the update. 

Q: Please confirm that if an IIS instance is installed that we are at risk for one of the CVE’s and therefore we should patch ASAP. The assumption is that the server has IIS without .NET components.
A:
By default, IIS is not installed with .NET and by default, .NET is not installed by ASP.NET. Customers would first need to have installed .NET framework with ASP.NET in order to be vulnerable to the vulnerabilities documented by MS11-100.

Q: What level of testing or specific tests is recommended for applications using ASP.NET? Is it highly likely that the hashing change will impact applications using the framework?
A:
Microsoft recommends that customers test this update before deploying. There is a change in how forms authentication occurs and will require updates to be deployed at the same time across server environments. Click here for more about forms authentication.  

Q: Can sample DoS requests be provided to allow us to understand what the DOS signature may look like so we can test the patch as well as monitor our production environments until the patching is completed?
A: For more technical information regarding MS11-100, please see the SRD blog, where we have shared a short signature detecting this issue.

Q: Is this critical to environments where there are no Internet-facing systems? And what if there is no IIS installed on the workstation — is it atrisk?
A:
Exploitation requires ASP.NET installed and to be exposed to input from unauthenticated users. Typically this is through IIS. If workstations do not have ASP.NET or IIS installed, then those systems are not exposed. 

Q: In the Critical Elevation of Privilege can the attacker elevate is privilege only if they have the username without having the password? Can we have machines with the fix and without the fix working with each other?
A:
Yes, the attacker only needs the username to carry out the attack. The fix involves changing the format of the forms authentication ticket, so that unpatched and patched machines cannot work with each other. So after patching you cannot have machines with the fix and without it working together, unless you set a configuration setting on the patched machines. For details, please read the FAQ for this CVE for more information on applying updates to web farms.

Q: For CVE-2011-3414, is there a requirement of authentication to exploit the DoS vulnerability successfully?
A:
No, CVE-2011-3414 is anunauthenticated Denial of Service.

Q: What could be a potential impact on server running IIS with custom code? In short, can this update impact server or service to go down after installation? Do you have any suggestions on installation on web servers running custom code?
A:
This update is specifically for ASP.NET, but the issue that was disclosed is an industry-wide issue concerning hash collisions. So, it is possible for your custom code to be affected, but you will need to investigate what kind of hash-tables your custom code uses and if it operates on untrusted user data.

Q: Is there a client-side patch that will protect users that fall for phishing attacks and visit websites that have not patched?
A: As clients are not affected by server-sided vulnerability, the security update does need to be installed on the server. 

Q: If the main target is Internet facing systems with IIS & ASP.NET installed, should I concentrate on patching my webservers first before patching client systems?
A:
Prioritization for this update would be specific to users’ environments, but servers that are internet-facing and accept input from unauthenticated or untrusted user-provided content are most affected and should be prioritized. Likewise, clients are typically not in a web server role, and so systems that are running a web server role should be prioritized. 

Q: What steps can I take to reproduce and see if/how my site is affected, and so I can confirm the issue is gone after applying the patch?
A: For the protection of customers, Microsoft does not disclose proof of concept code (POC). The technical details of this issue are however public.

Q: If Microsoft .NET Framework is installed on an IIS Server, does this mean that ASP.NET is also installed but possibly not enabled?
A:
Whether you have the .NET Framework (and ASP.NET) installed on a machine will depend upon the specific OS platform. Windows Server 2008, Windows Server 2008 SP2, Windows Server 2008 R2 and Windows Server 2008 R2 SP1 all ship with the .NET Framework 2.0 or higher, which includes ASP.NET, and you should install the corresponding patches listed in the security bulletin. If you are using an older Server OS such as Windows Server 2003 SP2 x86, then that platform includes .NET Framework 1.1 SP1, and you should install the corresponding patch listed in the security bulletin. 

Q: From a desktop browsing experience, this update will patch Windows XP, Vista and 7. If machines do not have IIS installed and enabled, as well as ASP.NET enabled, is the criticality of this update reduced? For example if the user goes to an internet site, would their desktop PC be vulnerable? It seems to be mostly if you have IIS and ASP.net installed and acting as a web server.
A:
If you have a client machine with no ASP.NET installed, then your desktop PC would not be vulnerable to the particular security issues that are being addressed in this update.

Q: ASP.Net has been identified for the DoS. How about classic ASP/ISAPI applications? Is it just a .Net hash-table issue? And has the Microsoft Foundation Class / ATL / Visual Basic 6.0 been checked?
A:
This is an industry-wide issue that could affect a broad spectrum of technologies. Since ASP.NET was at the greatest risk because of the public disclosure, we have focused our efforts so far on making sure we secure ASP.NET. We are actively investigating other technologies where this could be vulnerable and so far we do not think that classic ASP is vulnerable. Information on other affected technologies will be revealed as the issue develops.

Q: So just to be clear, Exchange 2010 Outlook Web Access isn’t vulnerable to the privilege of escalation? Just to the DOS?
A:
OWA 2010 can be configured for forms-based authentication. Based on this, it should be considered vulnerable. If there is any doubt, Microsoft KB Article 2638420 discusses parameters you can check for to verify if an application is using forms auth. Specifically, to determine whether your application uses forms authentication,
examine the System.web file. Applications that use forms authentication use the following entry in System.web file: <authentication mode=”Forms”>

Q: What tools are available to remotely scan systems to see if they’re vulnerable — that is, that IIS and ASP are installed and active?
A:
The Detection and Deployment Tools and Guidance section in the security bulletin provides information on how to identify systems to which this update applies. If you want to identify whether a system has IIS installed with ASP.NET enabled, the answer depends on the operating system that each system is running.

Q: Are only webservers vulnerable? We have limited personnel this weekend for QA and deployment. Are we pretty much covered if we just deploy to systems in our DMZ this weekend and then rest of the enterprise next week?
A:
Prioritization for this update would be specific to users’ environments, but servers that are internet-facing and accept input from unauthenticated or untrusted user provided content may be at greater risk than internal servers. 

Q: Sites that disallow “application/x-www-form-urlencoded” or “multipart/form-data” HTTP content types are not vulnerable. Is this set to disallow by default? How do we verify if it is set to disallow?
A: No, application/x-www-form-urlencoded or multipart/form-data are not disallowed by default. Customers will need to explicitly disallow these. Customers can do this by using IIS request filtering

Q: Forms authorization login from TMG/ISA doesn’t use ASP.NET. Is it still vulnerable?
A:
TMG is not exposed and is not related to the ASP.NET issue described in the bulletin.

Q: Do you suggest immediate patching of all servers (internal/external) or just of externally available servers and allow internal servers to be patched during the next patching cycle?
A:
 Once again, prioritization for this update would be specific to each user’s environment, but servers that are internet-facing and accept input from unauthenticated or untrusted user provided content may be at greater risk than internal servers. 

Q: Is the critical CVE related to forms authentication only an issue if the site is configured to support forms authentication without cookies? Or, are all forms authentication implementations impacted?
A:
No, this issue applies to all types of ASP.NET forms authentication, cookie and cookie-less.

Q: For CVE 2011-3414, does the patch change the size of request header accepted, place controls on the amount of CPU that can be used, or change the hashing functions used?
A:The security update addresses this issue by limiting the number of inputs ASP.NET accepts from clients.

Q: Does this patch limit the number of parameters passed in the post request? If so, what is the new limit? I am trying to determine what application problems may arise after applying the update.
A:
The security update addresses this issue by limiting the number of inputs ASP.NET accepts from clients. If you are interested in changing the number of parameters passed in the post request, please see the section of the bulletin titled Workarounds for Collisions in HashTable May Cause DoS Vulnerability – CVE-2011-3414

Q: Can the normally scheduled January bulletins be installed independently of the critical one?
A: Yes, Future security updates can be installed independently of this issue. Microsoft does recommend all customers always read security updates to ensure they fully understand any known issues that may be documented in the security bulletin.

Q: Is the attack vector based on the server or the client? Do we concentrate on server or desktop side first?
A:
The vulnerabilities in the bulletins are primarily focused on systems operating in a Web server role that use ASP.NET. Clients are typically not in a web server role.

Q: Could you provide more detail around the 3rd mitigation factor — specifically the account registration procedure?
A:
I am assuming this question is about the first mitigating factor for CVE-2011-3416: forms authentication bypass. Essentially, to pull off an Elevation of Privilege attack, the attacker would need a valid account on the system they are trying to compromise and the user name of the target of the attack.

Q: Can an ASP.NET site (e.g. SharePoint 2010 site) using authentication (NTLM/Kerberos) come under the DoS attack as described in CVE-2011-3414 by an unauthenticated user?
A:
NTLM/Kerberos authentication changes the attack vector of the vulnerability. An ASP.NET site can come under a DOS attack – however, the attacker would then need to be authenticated. 

Q: Will this affect — or will I need to be aware of — this update impacting ASP.NET session and machine key settings in IIS for a load balanced environment, where all machine keys are matches to make sure sessions are the same across a server farm?
A:
This update changes the way in which forms authentication tickets are created, so all servers would need to use the old or the new ticket format in order to maintain compatibility. Please refer to Knowledge Base Article 2659968 for deployment guidance for this update.

Q: What about servers that have IP address access limitations? Since we are resource-limited, we’d like to skip these servers that are only allowing certain IPs to access IIS.
A:
As we’ve mentioned, prioritization for this update would be specific to users environments, but servers that are Internet-facing and can accept input from unauthenticated or untrusted user provided content may be at greater risk than internal servers. Servers that have additional protections may reduce the potential attack risk of these vulnerabilities. Customers are encouraged to analyze their own environments.

Q: We have ASP.NET prohibited in in our Web Service Extensions — IIS 6. Are we still vulnerable?
A: No. If ASP.NET is not enabled, you are not vulnerable.

Q: The Section Workarounds for Collisions in HashTable May Cause DoS Vulnerability – CVE-2011-3414 in the bulletin is confusing. Is it required to put this script and then install the update? 
A:
Workaround refers to a setting or configuration change that does not correct the underlying vulnerability, but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality. Customers are always encouraged to apply the security update. The workarounds are not a prerequisite for installing the security update.

Q: If TMG is not affected then, if TMG is protecting an Exchange 2010 server and the TMG is handling the forum authorization, would the patch for an Exchange server be necessary?
A: Although firewall solutions could protect systems behind the firewall it is important to understand the types of traffic that that FW may proxy to servers behind it. Systems behind the firewall are still vulnerable to internal attacks and have vulnerable code and should be updated to be properly protected.

Q: Is AppSettings.MaxHttpCollectionKeys the new parameter that contains the maximum number of form entries?
A:
Yes it is.

Q: For ASP.NET on Internet-facing systems requiring authentication, does an attacker have to have a valid user name AND the valid password to carry out an attack?
A:
No. The only requirement is to have the target’s username, and *any* valid account on the system.

Q: Will any forms authentication tickets generated before the patch is applied be rendered invalid once the patch is applied? 
A:
Yes. The change in the forms authentication ticket format will render all pre-patch tickets invalid once the update is applied.

Q: Our ASP.NET application requires large file uploads and requires our <httpRuntime maxRequestLength=”200”/> to be set to 102400. How will we be able to handle that and not remain vulnerable?
A:
The maxRequestLength setting is just a workaround. You will not need to worry about this after applying the security update and can remove any previously set workaround configurations.

Q: These updates run on Windows clients whether or not IIS or ASP is installed. Are the updates not effective in this case?
A: By default, IIS is not installed with .NET and by default, .NET is not installed by ASP.NET. Customers would first need to installed .NET framework with ASP.NET in order to be vulnerable to the vulnerabilities documented in MS11-100.

Q: Will there be changes to WSUS to only show the patch needed when ASP.NET is installed?
A:
Updates that shipped in the security bulletin today are updates for the .NET Framework component. As such, the detection logic for these updates scans for different versions of the .NET Framework and offers the appropriate patch. The patches will be offered as long as the .NET Framework (which contains ASP.NET) is installed and irrespective of whether ASP.NET is registered and in use or not.

Q: For CVE-2011-3414, would one machine perform a denial of service based on the hash algorithms the server hosting the page has to consume?
A: Yes, one machine could effectively perform a denial of service, should it launch the correct type of attack.

Q: How much of live client-side authentication is vulnerable? Or is it server-side only (patch your servers, and client side is only vulnerable to the redirected site)?
A: The LiveID authentication system is not forms-based.  Therefore, the forms-based authentication vulnerabilities do not affect LiveID.  Further, it is all server-side and at this point we have applied the security update to our LiveID servers.

Categories: .NET, Bulletin Webcast Tags: