Republished with Permission - Original Article

Earlier this week I posted about an ASP.NET Vulnerability, and followed this up with another blog post that covers some Frequently Asked Questions about it.

We are actively working on releasing a security update that fix the issues, and our teams have been working around the clock to develop and test a fix that is ready for broad distribution across all Windows platforms via Windows Update.  I’ll post details about this once it is available.

Important Update: You can now download the official security patch update here.  Please install it ASAP on your servers – it is the only way to protect against the vulnerability.

In my first blog post I covered a workaround you can apply immediately on your sites and applications to prevent attackers from exploiting it.  Today, we are revising it to include an additional defensive measure.

This additional step can be done at a server-wide level, and should take less than 5 minutes to implement.  Importantly, this step does not replace the other steps in the original workaround, rather it should be done in addition to the steps already in it.  Below are instructions on how to enable it.

If you do not already have the IIS URLScan module installed on your IIS web server, please download and install it:

x86 Version

x64 Version

It takes less than a minute to install on your server. 

Add an Addition URL Scan Rule

Once URLScan is installed, please open and modify the UrlScan.ini file in this location:

%windir%\system32\inetsrv\urlscan\UrlScan.ini

Near the bottom of the UrlScan.ini file you’ll find a [DenyQueryStringSequences] section.  Add an additional “aspxerrorpath=” entry immediately below it and then save the file:

[DenyQueryStringSequences]

aspxerrorpath=

The above entry disallows URLs that have an “aspxerrorpath=” querystring attribute from making their way to ASP.NET applications, and will instead cause the web-server to return an HTTP error.  Adding this rule prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.

After saving this change, run “iisreset” from a command prompt (elevated as admin) for the above changes to take effect.  To verify the change has been made, try accessing a URL on your site/application that has a querystring with an aspxerrorpath and verify that an HTTP error is sent back from IIS.

If you’ve already implemented the workaround we’ve previously published, please add the above step to help block attackers from exploiting the vulnerability.

Our team is working around the clock to release an update via Windows Update that fixes the underlying product vulnerability.  Until that update is available, you can use the above workaround to help prevent attackers from using the vulnerability against your applications. 

Important Update: You can now download the official security patch update here.  Please install it ASAP on your servers – it is the only way to protect against the vulnerability.

Once we release the security update, you will no longer need to implement any workaround steps.  You can learn more about this vulnerability and the workaround from:

Microsoft Security Advisory 2416728 (Updated 9/24)

Understanding the ASP.NET Vulnerability

My Initial Blog Post

My Frequently Asked Questions Post

SharePoint Team Blog Post

Microsoft Security Response Center Blog Post

Microsoft Security Response Center Update Post

Please post specific questions about the vulnerability in this forum on the www.asp.net web-site.

Thanks,

Scott

Scott Guthrie

AspAdvice Forums

AspAdvice Mailing Lists