Qualys Blog

493 posts

Microsoft addresses high-profile ASP.NET issue with MS10-070

Micorosoft published an out-of-band patch MS10-070 for the ASP.NET issue made public 2 weeks ago the ekoparty conference in Buenos Aires.

MS10-070 updates the widely installed .NET Framework for all supported Windows platforms, from XP SP3 to Windows 7. This makes this update applicable to many machines, desktops and servers alike. However, the current known attack is applicable only machines that run a webserver with ASP.NET installed, so IT administrators should prioritize these machines. Desktops and servers that do not run a webserver can be updated at a later date, when convenient.

Microsoft rates the vulnerability as "important" as it only causes information leakage, but the effect of the attack is highly dependent on the web application running on the server. In the worst case scenario attackers can gain complete control of the server in question. The exact impact will have to be determined by the server and application engineers, we recommend patching this vulnerability on all Windows machine that run ASP.NET applications.

For a demo of the worst-case scenario take a look the video of Juliano and Thai running their POET tool against a updated "DotNetNuke" installation. They are able to gain full control over the server in under 10 minutes.

For a great explanation of padding attacks take a look at Gotham Digital Security blog.

The previously recommended workarounds in the advisory continue to be valid and do not need to be backed out for the patch. The are best practice recommendations that minimize information leakage through side channels and should be considered for any web application in production.


  • Exploit tool and Whitepaper from Netifera
  • Demo video on Youtube for the 3rd party ASP.NET application DotNetNuke
  • DotNetNuke blog post on how to fix the issue
  • Technical details on the suggested workarounds
  • Initial advisory from Microsoft

Microsoft readies update for ASP.NET issue

Microsoft announced that they will release an update tomorrow for ASP.NET. The update will address a vulnerability disclosed by Thai Duong and Juliano Rizzo at ekoparty a Latin American Security Conference. The critical vulnerability allows a remote attacker to extract information from web applications programmed under ASP.NET and in certain circumstances can be used to take control over the affected server.

The current advisory provides a workaround for the problem. It minimizes information leakage through the error reporting system and should be considered a best practice for web applications even without the current attack. Scott’s blog post provides great insight, as does the blog post from the DotNetNuke team on how to implement the workarounds in their environment.

We recommend installing the patch immediately, once it becomes available.It administrators should first focus on web servers that do not have the workarounds implemented.


  • Exploit tool and Whitepaper from Netifera
  • Demo video on Youtube for the 3rd party ASP.NET application DotNetNuke
  • DotNetNuke blog post on how to fix the issue
  • Technical details on the suggested workarounds

Additional September Security Advisories – Update


  • Twitter today fixed an XSS vulnerability that was triggered by hovering over a link on their website. The vulnerability had been fixed some time ago, but was unwillingly reintroduced in a recent update. Today it was disclosed again and spread quite quickly. Twitter has more info in their post here.
    Minded Security has an interesting analysis of an additional issue in the used JavaScript code and shows that finding a valid fix that works across all browsers requires experience and structured QA testing. Mikko Hypponen suggests that twitter implements a bounty based program, but it seems that the problems are much lower in the dev/testing stack.

After last week’s patch Tuesday a few high profile vulnerabilities and patches have appeared this week:

  • Adobe accelerated their patch for the Flash 0-day vulnerability by one week and came out with it yesterday, Monday September 20. Google Chrome users got the patch through Chrome’s update mechanism and received it even earlier on Friday, September 17. Google Chrome users can also use the Chrome-embedded PDF reader for most of their PDF usage, at least the simpler document viewing/printing and escape from the still open Adobe Reader 0-day.
  • Samba, the popular filesharing server issued a patch for a critical vulnerability . The vulnerability allows external users to cause a DOS condition and potentially take over control of the Samba server. Most users will run a version of Samba supplied by their vendor and should contact them for the updates, i.e. RedHat, IBM, Apple etc.
  • An exploit for a vulnerability in the 64 bit Linux kernel was published. The vulnerability allows a local user to take full control over the targeted machine. Limited reports of use of the exploit are coming in. A tool has been made available to detect infection. Engage your vendor for a patch.
  • Web applications that use Microsoft’s ASP.net are vulnerable to an "oracle padding" attack against application cookies which allows the attacker to gain access to private information. There is a demo video online on YouTube. Microsoft issued security advisory KB2416728 and has acknowledged a limited number of attacks seen in the wild. The advisory contains workarounds that mitigate the information leak. Web application firewalls with the technology to protect application cookies can also help with the issue
  • Apple published an update to Mac OS X 10.6 (Snow Leopard) fixing a single issue, which is quite uncommon as they normally bundle many security updates together. Earlier versions of Mac OS X are not affected. Quicktime for Windows was updated as well to address a known 0-day vulnerability.
  • Twitter today fixed an XSS vulnerability that was triggered by hovering over a link on their website. The vulnerability had been fixed some time ago, but was unwillingly reintroduced in a recent update. Today it was disclosed again and spread quite quickly. Twitter has more info in their post here.

Patch Tuesday Bottomline – September 2010

Microsoft’s September Bulletin contains four critical and five important updates, affecting Windows, Microsoft Office and Microsoft Internet Information Server (IIS). The most intriguing update is MS10-061, a fix for a printer spooler vulnerability in Windows XP. In cooperation with Kaspersky and Symantec, Microsoft analyzed samples of the Stuxnet malware and found that in addition of using the 0-day LNK vulnerability, addressed in August by MS10-046, it is using a second unknown vulnerability in the Windows print spooler to spread itself to other machines in the network. They further found two new unknown local vulnerabilities that the malware uses to gain the required admin privileges, if necessary. The use of two 0-day vulnerabilities shows a dedicated effort to make the malware succeed – and remember this was the malware that had the password for the SIEMENS SCADA software embedded. MS10-061 fixes this second 0-day and is the most important patch of the month; it should be applied immediately.

MS10-063 is a critical vulnerability in the OpenType libraries and allows an attacker to take control of a machine if the user looks at malicious web page or e-mail. The vulnerability does not require any further user interaction and so is a candidate for use in drive-by-download attacks, where malware is downloaded with the user’s consent or knowledge. While it is ranked as harder to exploit, we believe that attackers will focus on the vulnerability given the potential payback of more targets. MS10-062 fixes a critical vulnerability in the Windows MPEG-4 codec, which allows an attacker that manages to entice a user to play a specially crafted video file to take control of the victim’s machine – it is ranked as easy to exploit and will certainly become part of the popular malicious exploit kits. The last critical vulnerability, MS10-064 addresses a problem in Microsoft Outlook 2002, however the more popular Outlook 2003 and 2007 are not affected in their default configuration.

MS10-068 is a vulnerability in Active Directory. It is ranked only as important because the attacker needs to be authenticated, however this should not be much of a obstacle to a more sophisticated attacker that can use a client side vulnerability, such as the current Adobe Reader or Flash 0-days to get control of a workstation and then attack the AD server. We recommend anyone with an AD infrastructure to apply this update as soon as possible. MS10-065 is a fix for multiple vulnerabilities in IIS: one of them depends on the FastCGI module and can be used to gain remote code execution on the server. FastCGI is not configured by default, but it is needed when certain software packages are running under IIS, PHP for example. The majority of installed IIS servers will not be affected, but a check at Shodan shows that there are more than 30,000 servers that advertise running PHP under IIS, this update should be high on your list if you run this configuration.

Windows 7 users and Windows Server 2008 R2 implementations are not affected by three of the four critical vulnerabilities and have a downgraded severity of "Important" for the codec vulnerability. References:

Patch Tuesday – Preview for September 2010

Microsoft’s September Security Updates will have a quite substantial 9 bulletins addressing a total of 13 vulnerabilities. Four bulletins have a rating of "Critical" and affect Windows XP, Windows 2003 and Vista. Once again, Windows 7 and Windows Server 2008 R2 are less problematic and are not affected by 3 of the 4 critical vulnerabilites and have a downgraded severity of "Important" for the last one.

Microsoft Office XP, 2003 and 2007 are affected by 2 bulletins, each carrying a severity of "Important", a pretty standard rating for common file format vulnerabilities, even though they allow the attacker to take control of the affected system.

I expect some of the bulletins to address DLL Hijacking issues in Microsoft’s own products, but it will be interesting to see if Microsoft will change its guidance for Hotfix KB2264107. Currently it is only at the advisory level and users have to make an active decision to get protection against DLL Hijacking in 3rd party applications..

As last month, Windows XP SP2 users do not have any patches supplied to them, even though the majority of updates for XP SP3 most likely apply to their discontinued version of the OS as well. Windows XP SP2 users should upgrade to SP3 as quickly as possible.

0-day for Adobe Reader 9.3.4 and Flash – Update 3

Update 3
Adobe has acknowledged a 0-day in their Flash player.
Both this 0-day and the Adobe Reader flaw have patches scheduled already:

VUPEN has declared that their exploit for the Adobe Reader vulnerability will be successful even with JavaScript disabled.

Update 2
Security Researchers are impressed by the creativity in the recent Adobe 0-day. VUPEN has a interesting blog post with an analysis on the DEP/ASLR bypass technique and @reversemode and @dinodaizovi agree.

While the Adobe advisory does not contain any further details on the vulnerability and the exploit, it seems that turning off JavaScript in Adobe Reader prevents the known samples of the exploit from running.Turning off JavaScript also prevents the published Metasploit code from running successfully.

We recommend turning off JavaScript in Adobe reader and consider it a best practice for normal desktop usage.

A new critical 0-day vulnerability has been discovered in the wild for the latest version of Adobe Reader 9.3.4. Adobe has published an advisory and notes that all Operating Systems are affected. They will be providing updates as more information becomes available.

Some of the exploit code is published and we expect an exploit to become available in the exploit toolkits.

We will keep you posted as we get more information.