Patch Watch update

Topic

New Reply

Windows Secrets does not publish on any fifth Thursday of the month. Because September’s second Patch Tuesday fell on the 28th (a no-newsletter week), we have posted a special Patch Watch update here in the Lounge.

Reply | Quote

Replies

MS10-070 Out of band update for ASP.NET

Microsoft released MS10-070 today, an out-of-cycle patch described in an MS Security Response Center blog.

My first recommendation is to not panic, even though out-of-cycle patches are usually worrisome. Note that at this time, this security update just became available on Windows Update, Microsoft Update, and WSUS.

UPDATE 2010-09-30: The patch has now been released to Microsoft Update and Windows Update. Anyone with a standalone workstation — not a server — can simply hide these updates by expanding the patch detail in the Microsoft Update window and uncheck the box.

Once you uncheck the box, click to expand the details of the update and you can click to hide the updates (note you may be offered up to four .NET updates depending on the versions you have installed).

There is a higher risk for small-business and home servers, I still believe that attackers will go after larger targets. This is not the traditional exploit — it’s a tool attackers use to gain information from a target site, while they will then use to gain more access.

Who’s affected by this update

Consumers: You are not at risk here unless you run a web server from your Windows XP, Vista or Windows 7. Since most of you don’t, just ignore all of those server admins running around in a panic and check back tomorrow when I’ll report on the Windows 7 updates that were released today as well.

Server Admins: If you have a Web site that runs .NET versions 1.1 through 4, heads up! You’ll be wanting to be on alert.

.NET used for financial services: For those admins that run .NET-based Web sites and have links inside the webconfig file to financial third-party firms (like paypal.com) you’ll want to test and deploy this as soon as you can. You are the most at risk. The vulnerability can be used to get some key information about your setup and, more importantly, about the security of your Web server.

“In Microsoft .NET Framework 3.5 Service Pack 1 and above, this vulnerability can be used by an attacker to retrieve the contents of any file within the ASP.NET application, including web.config” and “This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server” (from http://isc.sans.edu/diary.html?storyid=9625)

.NET for SharePoint: If you have sensitive data in SharePoint that is open to the Internet, you also should test these patches and quickly install them. However, if you do not have it exposed to the Web — it’s totally inside your firm on an intranet — then I recommend you wait until the updates are available on Microsoft Update, Windows Update, or WSUS.

Small Business or Home Servers using Remote Web Workplace: Don’t panic. Even if you have sensitive information on your server, unless you are specifically seeing Event code 3005 (this will be under the more generic event 1309 in your event logs — *(see this blog for what an actual attack looks like in your event logs), you should not be worried. If you do see Event 3005 in your externally-facing Web-server application log files and the detail of the event looks exactly as what is shown in that blog post, call Microsoft at 1-866-PCSafety or 1-800-Microsoft and let them know you are seeing attacks on your systems.

For those of us in the small-business world, sometimes the risk of the updates are greater than the risk of not updating. Trying to determine what version of .net you have is extremely confusing (more on this below) and we all know how hard it is to install .NET updates. Microsoft is completing their detection testing to allow the update to be deployed via Windows Update, Microsoft Update, and WSUS. Thus I have no hesitation in saying that for us, it’s better to wait for the testing to complete, and to wait for others to go first before deploying these updates ourselves.

If you install these updates and get stuck, use the Aaron Stebner rip out tool (download page) to remove all versions of .NET and reinstall them.

How do determine what version of updates is need

This can be confusing. One of the easiest tools I’ve found to determine what versions of .net you have installed is to review the user-agent string in your Internet Explorer browser.

First go to the Web Site and click on Analyze my UA..

You’ll then get a result similar to: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729).

In the table below it will list the versions of .NET you have installed. For example:

.NET CLR 1.1.4322 Microsoft dot NET installed. version: 1.1.4322
.NET CLR 2.0.50727 Microsoft dot NET installed. version: 2.0.50727
.NET CLR 3.0.4506.2152 Microsoft dot NET installed. version: 3.0.4506.2152
.NET CLR 3.5.30729 Microsoft dot NET installed. version: 3.5.30729

Now comes the fun part. Go to Scott Guthrie’s ASP blog and, from the table he lists, download the patches that correspond to the operating system you’re running. In the example above (a Home Server) it’s Windows 2003 SP2.

You can match up those .NET versions with the corresponding service pack info listed on Aaron Stebner’s blog, and you can compare the exact .NET version with Aaron’s table to determine what version and service pack you have. Now refer back to Scott Guthrie’s ASP blog for the links for our version that we need.

So from our example above:

.NET CLR 1.1.4322 Microsoft dot NET installed. version: 1.1.4322 equals .NET 1.1 SP1
.NET CLR 2.0.50727 Microsoft dot NET installed. version: 2.0.50727 equals .NET 2.0 SP2
.NET CLR 3.0.4506.2152 Microsoft dot NET installed. version: 3.0.4506.2152 equals .NET 3.0 SP2
.NET CLR 3.5.30729 Microsoft dot NET installed. version: 3.5.30729 equals .NET 3.5 SP1

And comparing it to Scott’s table for Windows 2003 SP2, it appears we’ll need KB2416451,
KB2418241, and KB2416473.

Confusing, isn’t it? As this exercise proves, for Small Business and Home Servers, it’s much safer to wait for the detection of Microsoft Update/Windows Update before we begin a manual deployment like this.

Reply | Quote

MS Automatic Updates offered this (KB 2416447, 2416472, 2416473, 2418241) to one workstation (WinXP MCE 2005 SP3) on 02Oct. Same patches were offered by Microsoft Update for 3 XP Home SP3 systems. No problems observed on any of those 4 systems, over the 5 days since (crossing fingers Now …).

Reply | Quote

Susan

I am not completely clear, and you did not cover it in today’s Windows Secrets. Are the .NET patches in MS10-70 safe to install for WXP-SP3 and Vista SP2 standalone workstations at this stage?

Chris

Chris
Win 10 Pro x64 Group A

Reply | Quote

Chris, the patches in 10-070 are not needed on a workstation. You only have a risk when you are running a web server.

I never can guarantee that .net updates will not have issues, I’m sorry.

Reply | Quote

Susan

Thanks for your answer. I fully understand the proviso in your last sentence.

Regards

Chris

Chris
Win 10 Pro x64 Group A

Reply | Quote

Foolishly, I did not wait for Susan’s column and just clicked on OK to install the new patches to Win 7. It appears that the one patch that does not allow itself to be uninstalled, KB976902 (Susan says to ignore it) has killed my wireless adapter. Not only can I not uninstall this patch, but I cannot even restore my system to the pre-patch point because System Recovery fails even in Safe-Mode. I was able to uninstall all of the other patches made on 10/27, but not the one in question. It’s a killer, and I don’t know how to recover other than re-installing Windows 7. Any suggestions?

The symptom is that the wireless adapter is disabled in the Control Panel/Network Connections window and does not respond to the right-click “Enable” command or any other attempt to enable it. I have deleted the device in Device Manager, and rebooted. It is found and installed with the latest driver from Broadcom, but it still will not be enabled. It has been working well up until I installed the Win7 patches. So it seems that this patch is doing me in. I have tried all my usual magic to recover, but this one will not go away. There seems to be nothing on the MS site about any problems with KB976902. Any ideas???

Reply | Quote