- By Scott Bekker
- June 11, 2002
ASP.NET came of age this week when Microsoft posted a security patch for a vulnerability arising in some Web server farm environments.
ASP.NET is the .NET generation of Microsoft technologies to help developers build Web-based applications and XML Web services. It's been officially available for about four months.
The smallest Web server applications can handle session state within the same process as ASP.NET. Applications designed to scale across a Web server farm, however, must store session state in a separate running process so any server in the farm can access it during a user session.
StateServer is one way Microsoft handles the issue. Another way is a SQL Server mode, in which session state is stored and managed in the database. The SQL Server mode is Microsoft's recommended server farm mode because it makes the application more scalable.
The specific vulnerability with StateServer involves an unchecked buffer when processing cookies. An attacker could exploit the buffer to mount an overrun attack. Microsoft says that theoretically the attacker could execute code on an unprivileged account, but it has not been able to replicate that attack through the vulnerability.
Microsoft has been able to show that the buffer overrun attack would cause the ASP.NET application to restart and result in all active users losing session state.
In a FAQ in the patch description, Microsoft itself brings up the most stinging question: "I thought unchecked buffers are impossible in the .NET Framework?"
Redmond's answer to its own question is effectively that the .NET Framework isn't really written all the way with .NET code.
"While the StateServer itself is written using the .NET Framework, there are some helper functions which it calls that are not written using the .NET Framework. The flaw which gives rise to the vulnerability is located in one of these helper functions written using traditional code," the bulletin states.
According to Microsoft, the company is at work migrating all helper functions over to the framework.
The bulletin and patch can be accessed at www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-026.asp.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.