ASP.NET Patched

ASP.NET came of age this week when Microsoft posted a security patch for a vulnerability arising in some Web server farm environments.

ASP.NET is the .NET generation of Microsoft technologies to help developers build Web-based applications and XML Web services. It's been officially available for about four months.

The vulnerability involves one of the three modes in ASP.NET for handling session state. The problem is more likely to affect an enterprise environment than a small- or medium-business environment, because the vulnerable session state mode, called StateServer, arises in Web server farm configurations. However, Microsoft rated the vulnerability a moderate risk for servers because it recommends that users implementing ASP.NET applications in Web farms use SQL Server to manage session state. Another reason for the less-than-critical risk assessment is that the Web server application must use cookies to be exposed.

The smallest Web server applications can handle session state within the same process as ASP.NET. Applications designed to scale across a Web server farm, however, must store session state in a separate running process so any server in the farm can access it during a user session.

StateServer is one way Microsoft handles the issue. Another way is a SQL Server mode, in which session state is stored and managed in the database. The SQL Server mode is Microsoft's recommended server farm mode because it makes the application more scalable.

The specific vulnerability with StateServer involves an unchecked buffer when processing cookies. An attacker could exploit the buffer to mount an overrun attack. Microsoft says that theoretically the attacker could execute code on an unprivileged account, but it has not been able to replicate that attack through the vulnerability.

Microsoft has been able to show that the buffer overrun attack would cause the ASP.NET application to restart and result in all active users losing session state.

In a FAQ in the patch description, Microsoft itself brings up the most stinging question: "I thought unchecked buffers are impossible in the .NET Framework?"

Redmond's answer to its own question is effectively that the .NET Framework isn't really written all the way with .NET code.

"While the StateServer itself is written using the .NET Framework, there are some helper functions which it calls that are not written using the .NET Framework. The flaw which gives rise to the vulnerability is located in one of these helper functions written using traditional code," the bulletin states.

According to Microsoft, the company is at work migrating all helper functions over to the framework.

The bulletin and patch can be accessed at

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • How To Use .CSV Files with PowerShell, Part 1

    When it comes to bulk administration, few things are handier than .CSV files. In this two-part series, Brien demos his top techniques for working with .CSV files in PowerShell. First up: How to create a .CSV file.

  • SameSite Cookie Changes Rolled Back Until Summer

    The Chromium Project announced on Friday that it's delaying enforcement of SameSite cookie changes, and is temporarily rolling back those changes, because of the COVID-19 turmoil.

  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.