Microsoft hat das Security Advisory 2416728 veröffentlicht

Microsoft untersucht derzeit eine gemeldete Sicherheitsanfälligkeit in ASP.NET.

Weitere Infos gibt es unten unten auf englisch, auf der amerikanischen TechNet Seite (http://www.microsoft.com/technet/security/advisory/2416728.mspx) oder bald auf  der deutschen TechNet Seite http://technet.microsoft.com/de-de/security/default.aspx.

 

What is the purpose of this alert?

This alert is to notify you that Microsoft has released Security Advisory 2416728 – Vulnerability in ASP.NET Could Allow Information Disclosure — on September 17, 2010.

Summary

Microsoft is investigating a new public report of a vulnerability in ASP.NET. An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config. This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Mitigating Factors

· Microsoft has not identified any mitigations for this vulnerability.

Affected Software

Operating System

Component

Windows XP

Windows XP Media Center Edition 2005 and Windows XP Tablet PC Edition 2005

Microsoft .NET Framework 1.0 Service Pack 3

Windows XP Service Pack 3

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows XP Professional x64 Edition Service Pack 2

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Server 2003

Windows Server 2003 Service Pack 2

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Server 2003 x64 Edition Service Pack 2

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Server 2003 with SP2 for Itanium-based Systems

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Vista

Windows Vista Service Pack 1

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Vista Service Pack 2

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Vista x64 Edition Service Pack 1

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Vista x64 Edition Service Pack 2

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Server 2008

Windows Server 2008 for 32-bit Systems

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Server 2008 for x64-based Systems

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Server 2008 for Itanium-based Systems

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows Server 2008 for Itanium-based Systems Service Pack 2

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Windows 7

Windows 7 for 32-bit Systems

Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.0

Windows 7 for x64-based Systems

Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.0

Windows Server 2008 R2

Windows Server 2008 R2 for x64-based Systems

Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.0

Windows Server 2008 R2 for Itanium-based systems

Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.0

Recommendations

Review Microsoft Security Advisory 2416728 for an overview of the issue, details on affected components, mitigating factors, workarounds, suggested actions, frequently asked questions (FAQs), and links to additional resources.

Customers who believe they are affected can contact Customer Service and Support (CSS) in North America for help with security update issues or viruses at no charge using the PC Safety line (866) PCSAFETY. International customers can contact Customer Service and Support by using any method found at http://www.microsoft.com/protect/worldwide/default.mspx.

Additional Resources

· Microsoft Advisory 2416728  – Vulnerability in ASP.NET Could Allow Information Disclosure: http://www.microsoft.com/technet/security/advisory/2416728.mspx

· Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/b/msrc/archive/2010/09/17/security-advisory-2416728-released.aspx

· Microsoft Security Research & Defense (SRD) Blog: http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx

· Microsoft Malware Protection Center (MMPC) Blog: http://blogs.technet.com/mmpc/

Regarding Information Consistency

We strive to provide you with accurate information in static (this mail) and dynamic (web-based) content. Microsoft’s security content posted to the Web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft’s web-based security content, the information in Microsoft’s web-based security content is authoritative.

Thank you,

Microsoft CSS Security Team

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.