Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  Microsoft .Net XML signing protection bypass

From:MICROSOFT <secure_(at)_microsoft.com>
Date:09.06.2010
Subject:Microsoft Security Bulletin MS10-041 - Important Vulnerability in Microsoft .NET Framework Could Allow Tampering (981343)

Microsoft Security Bulletin MS10-041 - Important
Vulnerability in Microsoft .NET Framework Could Allow Tampering (981343)
Published: June 08, 2010

Version: 1.0
General Information
Executive Summary

This security update resolves a publicly disclosed vulnerability in Microsoft .NET Framework. The vulnerability could allow data tampering of signed XML content without being detected. In custom applications, the security impact depends on how the signed content is used in the specific application. Scenarios in which signed XML messages are transmitted over a secure channel (such as SSL) are not affected by this vulnerability.

This security update is rated Important for all affected releases of Microsoft .NET Framework for Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by changing the way in which the XMLDsig recommendation has been implemented in the Microsoft .NET Framework. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation.  The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update at the earliest opportunity using update management software, or by checking for updates using the Microsoft Update service.

See also the section, Detection and Deployment Tools and Guidance, later in this bulletin.

Known Issues. Microsoft Knowledge Base Article 981343 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues.
Top of sectionTop of section
Affected and Non-Affected Software

The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.

Affected Software
Operating System Component Maximum Security Impact Aggregate Severity Rating Bulletins Replaced by this Update
Microsoft Windows 2000

Microsoft Windows 2000 Service Pack 4


Microsoft .NET Framework 1.1 Service Pack 1
(KB979906)


Tampering


Important


MS09-061

Microsoft Windows 2000 Service Pack 4


Microsoft .NET Framework 2.0 Service Pack 2
(KB979909)


Tampering


Important


None
Windows XP

Windows XP Service Pack 2


Microsoft .NET Framework 1.0 Service Pack 3
(KB979904)

(Windows XP Media Center Edition 2005 only)


Tampering


Important


None

Windows XP Service Pack 3


Microsoft .NET Framework 1.0 Service Pack 3
(KB979904)

(Windows XP Media Center Edition 2005 and Windows XP Tablet PC Edition 2005 only)


Tampering


Important


None

Windows XP Service Pack 2 and Windows XP Service Pack 3


Microsoft .NET Framework 1.1 Service Pack 1
(KB979906)



Tampering


Important


MS09-061

Windows XP Service Pack 2 and Windows XP Service Pack 3


Microsoft .NET Framework 3.5
(KB982865)

Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1
(KB979909)


Tampering


Important


None

Windows XP Professional x64 Edition Service Pack 2


Microsoft .NET Framework 1.1 Service Pack 1
(KB979906)


Tampering


Important


MS09-061

Windows XP Professional x64 Edition Service Pack 2


Microsoft .NET Framework 3.5
(KB982865)

Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1
(KB979909)


Tampering


Important


None
Windows Server 2003

Windows Server 2003 Service Pack 2


Microsoft .NET Framework 1.1 Service Pack 1
(KB979907)

Microsoft .NET Framework 3.5
(KB982865)

Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1
(KB979909)


Tampering


Important


None

Windows Server 2003 x64 Edition Service Pack 2


Microsoft .NET Framework 1.1 Service Pack 1
(KB979906)


Tampering


Important


MS09-061

Windows Server 2003 x64 Edition Service Pack 2


Microsoft .NET Framework 3.5
(KB982865)

Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1
(KB979909)


Tampering


Important


None

Windows Server 2003 with SP2 for Itanium-based Systems


Microsoft .NET Framework 1.1 Service Pack 1
(KB979906)


Tampering


Important


MS09-061

Windows Server 2003 with SP2 for Itanium-based Systems


Microsoft .NET Framework 3.5
(KB982865)

Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1
(KB979909)


Tampering


Important


None
Windows Vista

Windows Vista Service Pack 1 and Windows Vista Service Pack 2


Microsoft .NET Framework 1.1 Service Pack 1
(KB979906)


Tampering


Important


MS09-061

Windows Vista Service Pack 1


Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5
(KB979913)


Tampering


Important


MS09-036

Windows Vista Service Pack 1


Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1
(KB979911)


Tampering


Important


None

Windows Vista Service Pack 2


Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1
(KB979910)


Tampering


Important


None

Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2


Microsoft .NET Framework 1.1 Service Pack 1
(KB979906)


Tampering


Important


MS09-061

Windows Vista x64 Edition Service Pack 1


Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5
(KB979913)


Tampering


Important


MS09-036

Windows Vista x64 Edition Service Pack 1


Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1
(KB979911)


Tampering


Important


None

Windows Vista x64 Edition Service Pack 2


Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1
(KB979910)


Tampering


Important


None
Windows Server 2008

Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2


Microsoft .NET Framework 1.1 Service Pack 1**
(KB979906)


Tampering


Important


MS09-061

Windows Server 2008 for 32-bit Systems


Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5**
(KB979913)


Tampering


Important


MS09-036

Windows Server 2008 for 32-bit Systems


Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1**
(KB979911)


Tampering


Important


None

Windows Server 2008 for 32-bit Systems Service Pack 2


Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1**
(KB979910)


Tampering


Important


None

Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2


Microsoft .NET Framework 1.1 Service Pack 1**
(KB979906)


Tampering


Important


MS09-061

Windows Server 2008 for x64-based Systems


Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5**
(KB979913)


Tampering


Important


MS09-036

Windows Server 2008 for x64-based Systems


Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1**
(KB979911)


Tampering


Important


None

Windows Server 2008 for x64-based Systems Service Pack 2


Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1**
(KB979910)


Tampering


Important


None

Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2


Microsoft .NET Framework 1.1 Service Pack 1
(KB979906)


Tampering


Important


MS09-061

Windows Server 2008 for Itanium-based Systems


Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5
(KB979913)


Tampering


Important


MS09-036

Windows Server 2008 for Itanium-based Systems


Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1
(KB979911)


Tampering


Important


None

Windows Server 2008 for Itanium-based Systems Service Pack 2


Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1
(KB979910)


Tampering


Important


None
Windows 7

Windows 7 for 32-bit Systems


Microsoft .NET Framework 3.5.1
(KB979916)


Tampering


Important


None

Windows 7 for x64-based Systems


Microsoft .NET Framework 3.5.1
(KB979916)


Tampering


Important


None
Windows Server 2008 R2

Windows Server 2008 R2 for x64-based Systems


Microsoft .NET Framework 3.5.1*
(KB979916)


Tampering


Important


None

Windows Server 2008 R2 for Itanium-based Systems


Microsoft .NET Framework 3.5.1
(KB979916)


Tampering


Important


None

*Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. For more information on this installation option, see the MSDN article, Server Core for Windows Server 2008 R2. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 R2; see Compare Server Core Installation Options.

**Server Core installation not affected. The vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 as indicated, when installed using the Server Core installation option. For more information on this installation option, see the MSDN article, Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options.

Non-Affected Software
Operating System Microsoft .NET Framework

All supported releases of Microsoft Windows


Microsoft .NET Framework 3.0

All supported releases of Microsoft Windows


Microsoft .NET Framework 3.0 Service Pack 1

All supported releases of Microsoft Windows


Microsoft .NET Framework 3.0 Service Pack 2

Windows Vista Service Pack 2


Microsoft .NET Framework 3.5

Windows Vista x64 Edition Service Pack 2


Microsoft .NET Framework 3.5

Windows Server 2008 Service Pack 2


Microsoft .NET Framework 3.5

Windows Server 2008 for x64-based Systems Service Pack 2


Microsoft .NET Framework 3.5

Windows Server 2008 with SP2 for Itanium-based Systems


Microsoft .NET Framework 3.5

All supported releases of Microsoft Windows


Microsoft .NET Framework 4.0
Top of sectionTop of section

Frequently Asked Questions (FAQ) Related to This Security Update

What is a data tampering vulnerability?
In information security, a data tampering vulnerability could allow the malicious modification of data. Examples include unauthorized changes made to persistent data, such as that held in a database, and the alteration of data as it flows between two computers over an open network, such as the Internet. Specifically for this vulnerability, if an effective cryptographic signature is used to digitally sign data, and this data is modified after it has been signed, and the verification of the digital signature fails, this indicates tampering. If the verification of the signature succeeds despite the fact that the data has been tampered with, this also indicates tampering.

How do I determine which version of the Microsoft .NET Framework is installed?
You can install and run multiple versions of the .NET Framework on a system, and you can install the versions in any order. There are several ways to determine which versions of the .NET Framework are currently installed. For more information, please see Microsoft Knowledge Base Article 318785 or the MSDN article, Determining Which Version of the .NET Framework Is Installed.

Why are Microsoft .NET Framework 3.5 and Microsoft .NET Framework 3.5 Service Pack 1 affected on some supported operating systems?
Microsoft .NET Framework 3.5 includes Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.0 Service Pack 1 subcomponents. Microsoft .NET Framework 3.5 Service Pack 1 contains Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.0 Service Pack 2 subcomponents. On some operating systems, Microsoft .NET Framework 3.5 and Microsoft .NET Framework 3.5 Service Pack 1 may install these vulnerable subcomponents.

I have a version of Microsoft .NET Framework installed on my system that is not listed in this bulletin. Is my configuration affected by this vulnerability?
The affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle or are not supported. Customers who have an unsupported version of the Microsoft .NET Framework installed on their system are advised to uninstall that version of the Microsoft .NET Framework and to upgrade to a newer version of the Microsoft .NET Framework.

The Microsoft .NET Framework can be uninstalled via the Add or Remove Programs tool in Control Panel. For more information about the removal of specific versions of the Microsoft .NET Framework, see Microsoft Knowledge Base Article 320122, Microsoft Knowledge Base Article 824643, and Microsoft Knowledge Base Article 908077.

Does this update contain any security-related changes to functionality?
Yes. In addition to the changes that are listed in the Vulnerability Information section of this bulletin, this update includes a defense-in-depth change to the ASP.NET request validation feature, to address an issue that could allow an attacker to bypass a basic defense-in-depth measure that is enabled by default on ASP.NET-enabled Web sites.

The issue is caused because the request validation feature in ASP.NET does not properly check for a specific character sequence. The ASP.NET request validation feature cannot replace an effective validation layer restricting untrusted input variables. Developers wishing to learn more about the security features that ASP.NET provides to Web applications may refer to the MSDN article, Take Advantage of ASP.NET Built-in Features to Fend Off Web Attacks.

If a Web site does not have an effective validation layer in place to restrict untrusted user input, an attacker who successfully exploited this issue may be able to inject arbitrary content including ASP.NET content into the affected web site. This defense-in-depth change mitigates the issue that was privately reported.

What is ASP.NET Request Validation?
This defense-in-depth change to the ASP.NET request validation feature performs basic input validation on web sites running ASP.NET. However, the ASP.NET request validation feature cannot replace an effective validation layer that restricts untrusted input variables. Developers wishing to learn more about the security features that ASP.NET provides to Web applications may refer to the MSDN articles, Take Advantage of ASP.NET Built-in Features to Fend Off Web Attacks and .

How do I know if my ASP.NET Web application is affected by this defense-in-depth change?
ASP.NET-developed Web applications that restrict all untrusted input variables to a range of expected values or characters would not be affected. For more information on hardening ASP.NET Web applications, see Microsoft Knowledge Base Article 815155.

What is ASP.NET?
ASP.NET is a collection of technologies within the Microsoft .NET Framework that enable developers to build Web applications and XML Web Services.

Unlike traditional Web pages, which use a combination of static HTML and scripting, ASP.NET uses compiled, event-driven pages. Because ASP.NET is a Web-based application environment, requiring an underlying Web server to provide basic HTTP functionality, ASP.NET runs on top of Internet Information Services (IIS). For more information, see The Official Microsoft ASP.NET Site.

Why is this issue addressed as a defense-in-depth measure?
ASP.NET request validation is being addressed as a defense-in-depth change, which can be used as an extra precautionary measure in addition to the developer's own input validation. Only the developer can define what constitutes good input for a specific application. Defense-in-depth features are not designed to be relied upon, even though multiple such layers can substantially help prevent attackers from compromising the security of the system in question. Therefore, if ASP.NET request validation misses a specific character sequence, the maximum security impact of this issue cannot be higher than if this feature were disabled altogether.

What is defense-in-depth?
In information security, defense-in-depth refers to an approach in which multiple layers of defense are in place to help prevent attackers from compromising the security of a network or system.

Where are the file information details?
Refer to the reference tables in the Security Update Deployment section for the location of the file information details.

I am using an older release of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, visit the Microsoft Support Lifecycle Web site.

It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Lifecycle Supported Service Packs.

Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.
Top of sectionTop of section
Vulnerability Information

Severity Ratings and Vulnerability Identifiers

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the June bulletin summary. For more information, see Microsoft Exploitability Index.
Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Affected Software XML Signature HMAC Truncation Bypass Vulnerability - CVE-2009-0217 Aggregate Severity Rating
Microsoft .NET Framework 1.0 Service Pack 3

Microsoft .NET Framework 1.0 Service Pack 3 on Windows XP Service Pack 2
(Windows XP Media Center Edition 2005 only)


Important
Tampering


Important

Microsoft .NET Framework 1.0 Service Pack 3 on Windows XP Service Pack 3
(Windows XP Media Center Edition 2005 and Windows XP Tablet PC Edition 2005 only)


Important
Tampering


Important
Microsoft .NET Framework 1.1 Service Pack 1

Microsoft .NET Framework 1.1 Service Pack 1 when installed on Microsoft Windows 2000 Service Pack 4


Important
Tampering


Important

Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows XP Service Pack 2 and Windows XP Service Pack 3


Important
Tampering


Important

Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows XP Professional x64 Edition Service Pack 2


Important
Tampering


Important

Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2003 Service Pack 2


Important
Tampering


Important

Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows Server 2003 x64 Edition Service Pack 2


Important
Tampering


Important

Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows Server 2003 with SP2 for Itanium-based Systems


Important
Tampering


Important

Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows Vista Service Pack 1 and Windows Vista Service Pack 2


Important
Tampering


Important

Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2


Important
Tampering


Important

Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2**


Important
Tampering


Important

Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2**


Important
Tampering


Important

Microsoft .NET Framework 1.1 Service Pack 1 when installed on Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2


Important
Tampering


Important
Microsoft .NET Framework 2.0 Service Pack 1

Microsoft .NET Framework 2.0 Service Pack 1 on Windows Vista Service Pack 1


Important
Tampering


Important

Microsoft .NET Framework 2.0 Service Pack 1 on Windows Vista x64 Edition Service Pack 1


Important
Tampering


Important

Microsoft .NET Framework 2.0 Service Pack 1 on Windows Server 2008 for 32-bit Systems**


Important
Tampering


Important

Microsoft .NET Framework 2.0 Service Pack 1 on Windows Server 2008 for x64-based Systems**


Important
Tampering


Important

Microsoft .NET Framework 2.0 Service Pack 1 on Windows Server 2008 for Itanium-based Systems


Important
Tampering


Important
Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 2.0 Service Pack 2 when installed on Microsoft Windows 2000 Service Pack 4


Important
Tampering


Important

Microsoft .NET Framework 2.0 Service Pack 2 when installed on Windows XP Service Pack 2 and Windows XP Service Pack 3


Important
Tampering


Important

Microsoft .NET Framework 2.0 Service Pack 2 when installed on Windows XP Professional x64 Edition Service Pack 2


Important
Tampering


Important

Microsoft .NET Framework 2.0 Service Pack 2 when installed on Windows Server 2003 Service Pack 2


Important
Tampering


Important

Microsoft .NET Framework 2.0 Service Pack 2 when installed on Windows Server 2003 x64 Edition Service Pack 2


Important
Tampering


Important

Microsoft .NET Framework 2.0 Service Pack 2 when installed on Windows Server 2003 with SP2 for Itanium-based Systems


Important
Tampering


Important

Microsoft .NET Framework 2.0 Service Pack 2 when installed on Windows Vista Service Pack 1


Important
Tampering


Important

Microsoft .NET Framework 2.0 Service Pack 2 on Windows Vista Service Pack 2


Important
Tampering


Important

Microsoft .NET Framework 2.0 Service Pack 2 when installed on Windows Vista x64 Edition Service Pack 1


Important
Tampering


Important

Microsoft .NET Framework 2.0 Service Pack 2 on Windows Vista x64 Edition Service Pack 2


Important
Tampering


Important

Microsoft .NET Framework 2.0 Service Pack 2 when installed on Windows Server 2008 for 32-bit Systems**


Important
Tampering


Important

Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2**


Important
Tampering


Important

Microsoft .NET Framework 2.0 Service Pack 2 when installed on Windows Server 2008 for x64-based Systems**


Important
Tampering


Important

Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2**


Important
Tampering


Important

Microsoft .NET Framework 2.0 Service Pack 2 when installed on Windows Server 2008 for Itanium-based Systems


Important
Tampering


Important

Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 with SP2 for Itanium-based Systems


Important
Tampering


Important
Microsoft .NET Framework 3.5

Microsoft .NET Framework 3.5 when installed on Windows XP Service Pack 2 and Windows XP Service Pack 3


Important
Tampering


Important

Microsoft .NET Framework 3.5 when installed on Windows XP Professional x64 Edition Service Pack 2


Important
Tampering


Important

Microsoft .NET Framework 3.5 when installed on Windows Server 2003 Service Pack 2


Important
Tampering


Important

Microsoft .NET Framework 3.5 when installed on Windows Server 2003 x64 Edition Service Pack 2


Important
Tampering


Important

Microsoft .NET Framework 3.5 when installed on Windows Server 2003 with SP2 for Itanium-based Systems


Important
Tampering


Important

Microsoft .NET Framework 3.5 when installed on Windows Vista Service Pack 1 and Windows Vista Service Pack 2


Important
Tampering


Important

Microsoft .NET Framework 3.5 when installed on Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2


Important
Tampering


Important

Microsoft .NET Framework 3.5 when installed on Windows Server 2008 for 32-bit Systems**


Important
Tampering


Important

Microsoft .NET Framework 3.5 when installed on Windows Server 2008 for x64-based Systems**


Important
Tampering


Important

Microsoft .NET Framework 3.5 when installed on Windows Server 2008 for Itanium-based Systems


Important
Tampering


Important
Microsoft .NET Framework 3.5 Service Pack 1

Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows XP Service Pack 2 and Windows XP Service Pack 3


Important
Tampering


Important

Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows XP Professional x64 Edition Service Pack 2


Important
Tampering


Important

Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows Server 2003 Service Pack 2


Important
Tampering


Important

Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows Server 2003 x64 Edition Service Pack 2


Important
Tampering


Important

Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows Server 2003 with SP2 for Itanium-based Systems


Important
Tampering


Important

Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows Vista Service Pack 1 and Windows Vista Service Pack 2


Important
Tampering


Important

Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2


Important
Tampering


Important

Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2**


Important
Tampering


Important

Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2**


Important
Tampering


Important

Microsoft .NET Framework 3.5 Service Pack 1 when installed on Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2


Important
Tampering


Important
Microsoft .NET Framework 3.5.1

Microsoft .NET Framework 3.5.1 on Windows 7 for 32-bit Systems


Important
Tampering


Important

Microsoft .NET Framework 3.5.1 on Windows 7 for x64-based Systems


Important
Tampering


Important

Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems*


Important
Tampering


Important

Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for Itanium-based Systems


Important
Tampering


Important

*Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. For more information on this installation option, see the MSDN article, Server Core for Windows Server 2008 R2. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 R2; see Compare Server Core Installation Options.

**Server Core installation not affected. The vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 as indicated, when installed using the Server Core installation option. For more information on this installation option, see the MSDN article, Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options.
Top of sectionTop of section

XML Signature HMAC Truncation Authentication Bypass Vulnerability - CVE-2009-0217

A data tampering vulnerability exists in the Microsoft .NET Framework that could allow an attacker to tamper with signed XML content without being detected. In custom applications, the security impact depends on the specific usage scenario. Scenarios in which signed XML messages are transmitted over a secure channel (such as SSL) are not affected by this vulnerability.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-0217.

Mitigating Factors for XML Signature HMAC Truncation Authentication Bypass Vulnerability - CVE-2009-0217

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:


Microsoft Office implements XML signature checking in a way that cannot be exploited by an attacker attempting to exploit this data tampering vulnerability.
Top of sectionTop of section

Workarounds for XML Signature HMAC Truncation Authentication Bypass Vulnerability - CVE-2009-0217

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:


Use a secure channel to transmit sensitive information

If your application transmits sensitive XML data or XML data that is critical to the security of your application, use a secure channel to transmit this information. For instance, if you use Internet Information Server, require SSL for sensitive or security critical applications.
Top of sectionTop of section

FAQ for XML Signature HMAC Truncation Authentication Bypass Vulnerability - CVE-2009-0217

What is the scope of the vulnerability?
This vulnerability is a data tampering vulnerability that can be used to bypass a cryptographic signature.

What causes the vulnerability?
The vulnerability is caused by the way that the W3C XML Signature Syntax and Processing (XMLDsig) recommendation has been implemented in the Microsoft .NET Framework. For more information about XMLDsig, see the W3C Recommendation, XML Signature Syntax and Processing (Second Edition) or see section "E03 HMAC truncation (CVE-2009-0217)" in Errata for XML Signature Second Edition.

What is the Microsoft .NET Framework?
The Microsoft .NET Framework is a component of the Microsoft Windows operating system that enables building and running software applications and Web services. It includes technologies for Web services and Web applications (ASP.NET), data access (ADO.NET), smart client applications (Windows Forms), and many others.

What is HMAC?
A Hash-based Message Authentication Code (HMAC) can be used to determine whether a message sent over an insecure channel has been tampered with, provided that the sender and receiver share a secret key, by verifying the integrity and authenticity of the message.

What is XML?
Extensible Markup Language, or XML, is a markup language that provides a format for describing structured data. Extensible Markup Language (XML) is a World Wide Web Consortium (W3C) specification and a subset of Standard Generalized Markup Language (SGML). For more information about XML, see the MSDN Data Developer Center page XML home page or the W3C Recommendation, Extensible Markup Language (XML) 1.0 (Fifth Edition).

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could bypass certain cryptographic signatures and as a result, tamper with signed XML content without the receiver detecting the changes. If the message is changed completely from its original meaning, this may also constitute spoofing. In situations where a developer has written an application that relies on HMAC signed XML content, the security impact depends on the specific usage scenario for that application.

How could an attacker exploit the vulnerability?
An attacker would need to send specially crafted XML content to a vulnerable system. Microsoft Office implements XML signature checking in a way that cannot be exploited by an attacker.

What systems are primarily at risk from the vulnerability?
Systems or applications that rely on Hash-based Message Authentication Code (HMAC) for cryptographic operations are primarily at risk. Microsoft Office implements XML signature checking in a way that cannot be exploited by an attacker attempting to exploit the vulnerability.

What does the update do?
The update addresses the way in which the XMLDsig recommendation has been implemented in the Microsoft .NET Framework.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2009-0217.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:


Arian Evans of WhiteHat Security for reporting the bypass issue in ASP.NET request validation that is addressed in this bulletin through a defense-in-depth change

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Support


Customers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.


International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions


V1.0 (June 8, 2010): Bulletin published.

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod