Security Advisory 2416728 (Vulnerability in ASP.NET) and SharePoint 2010

We recently released a Microsoft Security Advisory about a security vulnerability in ASP.NET.  This post explains the impact on SharePoint and documents a recommended workaround. This vulnerability affects Microsoft SharePoint 2010 and Microsoft SharePoint Foundation 2010.  The vulnerability is in ASP.NET. We recommend that all SharePoint 2010 customers apply the workaround as soon as possible.  This post will be updated with any new information.

The workaround for SharePoint 2010 is slightly different from the one documented in the advisory.  For SharePoint 2010, you should follow the instructions below on every web front-end in your SharePoint farm:

  1. Browse to the SharePoint installation directory at %CommonProgramFiles%\Microsoft Shared\Web Server Extensions\14\template\layouts.
  2. Create a new file called error2.aspx in this directory with the following content:
    <%@ Page Language="C#" AutoEventWireup="true" %>
    <%@ Import Namespace="System.Security.Cryptography" %>
    <%@ Import Namespace="System.Threading" %>
    <script runat="server">
       void Page_Load() {
          byte[] delay = new byte[1];
          RandomNumberGenerator prng = new RNGCryptoServiceProvider();
          IDisposable disposable = prng as IDisposable;
          if (disposable != null) { disposable.Dispose(); }
    <head runat="server">
            An error occurred while processing your request.
  3. Navigate to %SystemDrive%\inetpub\wwwroot\wss\virtualdirectories.
  4. For each subfolder in this directory, do the following:
    1. Edit web.config
    2. Find the customErrors node and change it to;
      <customErrors mode="On" redirectMode="ResponseRewrite"
      defaultRedirect="/_layouts/error2.aspx" />
    3. Save your changes
    4. Run iisreset /noforce

    For more information:Microsoft Security Advisory (2416728) – Vulnerability in ASP.NET Could Allow Information DisclosureSecurity Advisory 2416728 Released – Microsoft Security Response Center BlogUnderstanding the ASP.NET Vulnerability – Microsoft Security Research & Defense BlogImportant: ASP.NET Security Vulnerability – Scott Guthrie’s BlogFrequently Asked Questions about the ASP.NET Security Vulnerability – Scott Guthrie’s Blog


    Wichtiges Update 23.09.2010:
    Wichtiges Update 28.09.2010:
    Out of Band Release to Address Microsoft Security Advisory 2416728
    Microsoft Security Bulletin MS10-070 – Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)

Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:

Du kommentierst mit Deinem Abmelden /  Ändern )

Google+ Foto

Du kommentierst mit Deinem Google+-Konto. Abmelden /  Ändern )


Du kommentierst mit Deinem Twitter-Konto. Abmelden /  Ändern )


Du kommentierst mit Deinem Facebook-Konto. Abmelden /  Ändern )


Verbinde mit %s