ASP.NET Patched

ASP.NET came of age this week when Microsoft posted a security patch for a vulnerability arising in some Web server farm environments.

ASP.NET is the .NET generation of Microsoft technologies to help developers build Web-based applications and XML Web services. It's been officially available for about four months.

The vulnerability involves one of the three modes in ASP.NET for handling session state. The problem is more likely to affect an enterprise environment than a small- or medium-business environment, because the vulnerable session state mode, called StateServer, arises in Web server farm configurations. However, Microsoft rated the vulnerability a moderate risk for servers because it recommends that users implementing ASP.NET applications in Web farms use SQL Server to manage session state. Another reason for the less-than-critical risk assessment is that the Web server application must use cookies to be exposed.

The smallest Web server applications can handle session state within the same process as ASP.NET. Applications designed to scale across a Web server farm, however, must store session state in a separate running process so any server in the farm can access it during a user session.

StateServer is one way Microsoft handles the issue. Another way is a SQL Server mode, in which session state is stored and managed in the database. The SQL Server mode is Microsoft's recommended server farm mode because it makes the application more scalable.

The specific vulnerability with StateServer involves an unchecked buffer when processing cookies. An attacker could exploit the buffer to mount an overrun attack. Microsoft says that theoretically the attacker could execute code on an unprivileged account, but it has not been able to replicate that attack through the vulnerability.

Microsoft has been able to show that the buffer overrun attack would cause the ASP.NET application to restart and result in all active users losing session state.

In a FAQ in the patch description, Microsoft itself brings up the most stinging question: "I thought unchecked buffers are impossible in the .NET Framework?"

Redmond's answer to its own question is effectively that the .NET Framework isn't really written all the way with .NET code.

"While the StateServer itself is written using the .NET Framework, there are some helper functions which it calls that are not written using the .NET Framework. The flaw which gives rise to the vulnerability is located in one of these helper functions written using traditional code," the bulletin states.

According to Microsoft, the company is at work migrating all helper functions over to the framework.

The bulletin and patch can be accessed at

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Windows 10 Mobile To Fall Out of Support in December

    Microsoft will end support for the Windows 10 Mobile operating system on Dec. 10, 2019, according to an announcement.

  • Get More Out of Your Outlook Inbox with TakeNote

    Brien comes across a handy, but imperfect, feature in Outlook that lets you annotate specific e-mails. Its provenance is something of a mystery, though.

  • Microsoft Resumes Rerelease of Windows 10 Version 1809

    Microsoft on Wednesday once more resumed its general rollout of the Windows 10 version 1809 upgrade, also known as the "October 2018 Update."

  • Microsoft Ups Its Windows 10 App Compatibility Assurances

    Microsoft gave assurances this week that organizations adopting Windows 10 likely won't face application compatibility issues.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.