ASP.NET Patched

ASP.NET came of age this week when Microsoft posted a security patch for a vulnerability arising in some Web server farm environments.

ASP.NET is the .NET generation of Microsoft technologies to help developers build Web-based applications and XML Web services. It's been officially available for about four months.

The vulnerability involves one of the three modes in ASP.NET for handling session state. The problem is more likely to affect an enterprise environment than a small- or medium-business environment, because the vulnerable session state mode, called StateServer, arises in Web server farm configurations. However, Microsoft rated the vulnerability a moderate risk for servers because it recommends that users implementing ASP.NET applications in Web farms use SQL Server to manage session state. Another reason for the less-than-critical risk assessment is that the Web server application must use cookies to be exposed.

The smallest Web server applications can handle session state within the same process as ASP.NET. Applications designed to scale across a Web server farm, however, must store session state in a separate running process so any server in the farm can access it during a user session.

StateServer is one way Microsoft handles the issue. Another way is a SQL Server mode, in which session state is stored and managed in the database. The SQL Server mode is Microsoft's recommended server farm mode because it makes the application more scalable.

The specific vulnerability with StateServer involves an unchecked buffer when processing cookies. An attacker could exploit the buffer to mount an overrun attack. Microsoft says that theoretically the attacker could execute code on an unprivileged account, but it has not been able to replicate that attack through the vulnerability.

Microsoft has been able to show that the buffer overrun attack would cause the ASP.NET application to restart and result in all active users losing session state.

In a FAQ in the patch description, Microsoft itself brings up the most stinging question: "I thought unchecked buffers are impossible in the .NET Framework?"

Redmond's answer to its own question is effectively that the .NET Framework isn't really written all the way with .NET code.

"While the StateServer itself is written using the .NET Framework, there are some helper functions which it calls that are not written using the .NET Framework. The flaw which gives rise to the vulnerability is located in one of these helper functions written using traditional code," the bulletin states.

According to Microsoft, the company is at work migrating all helper functions over to the framework.

The bulletin and patch can be accessed at

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

  • Microsoft Ups Its Carbon Reduction Goals

    Microsoft on Thursday announced a corporatewide carbon reduction effort that aims to make the company "carbon negative" by 2030.

  • How To Dynamically Lock Down an Unattended Windows 10 PC

    One of the biggest security risks in any organization happens when a user walks away from their PC without logging out. Microsoft has the solution (and it's not a password-protected screensaver).

  • First Stable Chromium-Based Microsoft Edge Browser Released

    Microsoft on Wednesday announced the first release of its Chromium-based Microsoft Edge browser at the "stable" commercial-release stage.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.