ASP.NET Security Update Now Available
This morning Microsoft released a security update that addresses the ASP.NET Security Vulnerability that I’ve blogged about this past week. We recommend installing it as soon as possible on your web-servers.
Common Questions/Answers
Below are some answers to a few common questions people have asked:
Do the updates require me to change any code?
No. The update should not require any code or configuration change to your existing ASP.NET applications.
Will I still need to use the workarounds after I install the update?
No. The update removes the need to use the security workarounds we’ve published this past week. Those were temporary steps that could be taken to protect yourself before the update was released. After you’ve installed the update you no longer need to use them.
What is the impact of applying the update to a live web-server?
If you apply the update to a live web-server, there will be some period of time when the web-server will be offline (although an OS reboot should not be required). You’ll want to schedule and coordinate your updates appropriately.
Importantly – if your site or application is running across multiple web-servers in a web-farm, you’ll want to make sure the update is applied to all of the machines (and not just some of them). This is because the update changes the encryption/signing behavior of certain features in ASP.NET, and a mix of patched and un-patched servers will cause that encryption/signing behavior to be incompatible between them. If you are using a web-farm topology, you might want to look at pulling half of the machines out of rotation, update them, and then swap the active and inactive machines (so that the updated machines are in rotation, and the non-updated ones are pulled from rotation and patched next) to avoid these mismatches.
Does this update work with SharePoint?
Yes. We have not found any issues in testing SharePoint with this security update. You should install it on SharePoint servers to ensure that they are not vulnerable.
Can I both install and uninstall the update?
Yes. The updates support install and uninstall scenarios. Note that if you uninstall the update, though, it will leave your system unprotected.
Downloading the Updates
We are releasing the security update today via the Microsoft Download Center. We will also release the update via Windows Update and the Windows Server Update Service in a few days as we complete final distribution testing via these channels. Once the update is on Windows Update, you can simply run Windows Update on your computer/server and Windows Update will automatically choose the right update to download/apply based on what you have installed.
Update: You can now use Windows Update and Windows Server Update Services (WSUS) to install the patches. You can learn more about this here.
If you download the updates directly from the Microsoft Download Center, then you need to manually select and download the appropriate updates. Below is a table of all of the different update packages available via the Microsoft Download Center today. The downloads are split up by Windows Operating System (and corresponding service pack and processor architecture). Each operating system version bucket below includes a listing of all available versions of .NET that are supported on it, and includes KB and download links to the appropriate security updates.
Find your operating system within the below chart, then check to see which versions of .NET you have installed on it (details on how to determine which version of the .NET Framework is installed can be found here). Download and apply the update packages for each version of .NET that you are using on that server.
Windows Server 2008 R2 and Windows 7 |
| |
.NET Framework Version | KB Article | Patch |
.NET Framework 3.5.1 (Default install) | ||
.NET Framework 4 |
Windows Server 2008 SP2, Windows Vista SP2 |
| |
.NET Framework Version | KB Article | Patch |
.NET Framework 2.0 SP2 (default install) | ||
.NET Framework 4 | ||
.NET Framework 3.5 SP1 | ||
.NET Framework 3.5 | ||
.NET Framework 1.1 SP1 |
*When multiple patch downloads are listed above against a .NET version (for example with .NET 3.5 SP1 and .NET 3.5 installs) then all patches should be installed (order is not relevant).
Windows Server 2008, Windows Vista SP1 |
| |
.NET Framework Version | KB Article | Patch |
.NET Framework 2.0 SP1 (default install) | ||
.NET Framework 4 | ||
.NET Framework 3.5 SP1 | ||
.NET Framework 2.0 SP2 | ||
.NET Framework 3.5 | ||
.NET Framework 1.1 SP1 |
*When multiple patch downloads are listed above against a .NET version (for example with .NET 3.5 SP1 and .NET 3.5 installs) then all patches should be installed (order is not relevant).
Windows Server 2003 SP2 32-bit |
| |
.NET Framework Version | KB Article | Patch |
.NET Framework 1.1 SP1 (default install) | ||
.NET Framework 4 | ||
.NET Framework 3.5 SP1 | ||
.NET Framework 2.0 SP2 | ||
.NET Framework 3.5 |
*When multiple patch downloads are listed above against a .NET version (for example with .NET 3.5 SP1 and .NET 3.5 installs) then all patches should be installed (order is not relevant).
Windows Server 2003 64-bit |
| |
.NET Framework Version/SP | KB Article | Patch |
Default OS Configuration | NA | NA |
.NET Framework 4 | ||
.NET Framework 3.5 SP1 | ||
.NET Framework 2.0 SP2 | ||
.NET Framework 3.5 | ||
.NET Framework 1.1 SP1 |
*When multiple patch downloads are listed above against a .NET version (for example with .NET 3.5 SP1 and .NET 3.5 installs) then all patches should be installed (order is not relevant).
Windows XP SP3 32-bit and 64-bit |
| |
.NET Framework Version/SP | KB Article | Patch |
Default OS Configuration | NA | NA |
.NET Framework 4 | ||
.NET Framework 3.5 SP1 | ||
.NET Framework 2.0 SP2 | ||
.NET Framework 3.5 | ||
.NET Framework 1.1 SP1 |
*When multiple patch downloads are listed above against a .NET version (for example with .NET 3.5 SP1 and .NET 3.5 installs) then all patches should be installed (order is not relevant).
Summary
We recommend immediately applying the security update to your servers in order to protect your applications against attackers trying to exploit them. We’d like to thank Juliano Rizzo and Thai Duong, who discovered that their previous research worked against ASP.NET, for not releasing their POET tool publicly before our update was ready.
You can ask questions and get help with the security vulnerability and update in a special ASP.NET Forum that we have setup here. If you have problems or questions you can also contact Microsoft Customer Support for help (including support over the phone with a support engineer). The official Microsoft Security Bulletin post is here.
Thanks,
Scott