Scott Hanselman

This has been blogged about over and over.  This is another case where if you had UrlScan or any decent security url filter installed on your box, you'd be fine.  Certainly it's a problem in ASP.NET, and Microsoft has an HttpModule to fix it.  This means you can install this once and get the fix on all your systems, rather than adding it in the BeginRequest of the Global.asax.cs.

One interesting note, if you're confirming the user's Security Principal and Identity (WindowsPrincipal, FormsIdentity) via code, or are using a custom Principal (as I do as a best practice) your code will catch this problem even if ASP.NET Form's Authentication's AuthorizationModule didn't.

1) Updated http://www.microsoft.com/security/incident/aspnet.mspx with new information about the reported vulnerability.  This should help clear up some of the confusion we've seen about what is affected by this.  To be super clear, all ASP.NET applications, on ALL OS's should follow the guidance provided.

2) A new HTTP Module mitigation best practice.  This is in the form of an MSI installer that will help protect all ASP.NET applications on a Web server.  This MSI installer will place a binary into the GAC and update the machine.config file for ASP.NET.  You can find download information at http://www.microsoft.com/downloads/details.aspx?FamilyID=da77b852-dfa0-4631-aaf9-8bcc6c743026&displaylang=en

You can also download the MSI directly at http://download.microsoft.com/download/4/6/1/461433d5-cbac-4721-85cb-c5a514fd0049/VPModule.msi

3) Detailed guidance about the HTTP Module, how the MSI works, and how to deploy it.  You can find this KB Article at http://support.microsoft.com/?kbid=887289

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Hosting By