http://blogs.iis.net/davcox/archive/tags/ASP/default.aspxTags: ASPenCommunityServer 2007 SP1 (Build: 20510.895)http://blogs.iis.net/davcox/archive/2006/07/21/3-years-and-3-months.aspxFri, 21 Jul 2006 18:44:00 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:1348277davcox1http://blogs.iis.net/davcox/rsscomments.aspx?PostID=1348277http://blogs.iis.net/davcox/commentapi.aspx?PostID=1348277http://blogs.iis.net/davcox/archive/2006/07/21/3-years-and-3-months.aspx#comments<P><FONT face=Arial color=#000000 size=2>Windows Server&nbsp;2003 and IIS6 released in March of 2003.&nbsp; Last week, we released a patch for asp.dll to fix our first vulnerability in over 3 years!&nbsp; </FONT></P> <P><FONT face=Arial color=#000000 size=2>It was kind of a sad day for the team (but one that we knew would come), because after IIS5, we&nbsp;committed as a team&nbsp;to never let IIS be an primary attack vector for the Windows platform.&nbsp; And so far we've been able to keep that commitment.&nbsp; Hopefully it'll be another 3 years before we release another one!&nbsp; :)&nbsp; So it was also a happy day in that 3 years is a really long time (these days) for your product to be really&nbsp;"unbreakable".&nbsp; :)</FONT></P> <P><FONT face=Arial color=#000000 size=2>I had the duty of testing the patch before it was released to make sure the vulnerability was indeed fixed.&nbsp; Ulad did a great job of doing a very thorough analysis of the code and a thorough fix to the issue.&nbsp; Given that we hadn't shipped a release like this in 3 years we did have a couple hicups, you might have seen or experienced this issue:&nbsp; </FONT></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><A title=http://news.com.com/Microsoft+irons+out+security+patch/2100-1002_3-6096179.html?tag=newsmap href="http://news.com.com/Microsoft+irons+out+security+patch/2100-1002_3-6096179.html?tag=newsmap" mce_href="http://news.com.com/Microsoft+irons+out+security+patch/2100-1002_3-6096179.html?tag=newsmap"><FONT color=#0000ff>http://news.com.com/Microsoft+irons+out+security+patch/2100-1002_3-6096179.html?tag=newsmap</FONT></A><FONT color=#000000>&nbsp;&nbsp;</FONT></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><FONT color=#000000>That issue was mostly due to the "detectoid" logic that WU uses to say if the patch is needed or not; the patch itself was fine (so no work was required on the IIS side) although I spent a long night here last week to help them pinpoint the issue.&nbsp; </FONT></SPAN></P> <P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><FONT color=#000000>Also, we were unable to get the right logic to restart w3svc prior to updating the asp.dll binary, but there is an easy workaround for that.&nbsp; Next time, (if there is a next time) we'll be sure to get that logic correct.&nbsp; </FONT></SPAN></P><FONT face=Arial color=#000000 size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p></SPAN></FONT> <P><FONT face=Arial color=#000000 size=2>As the MSRC bulletin says, this vulnerability requires the attacker to place asp content on the machine (so for example hosting scenarios).&nbsp; Once the maliciously formed page is requested, the attacker would be able to run arbitrary code.&nbsp; So it's certainly an important patch to install.&nbsp; There is extremely little risk in installling this patch given the nature of the code change and the testing that we did on this patch.&nbsp; </FONT></P> <P><FONT face=Arial color=#000000 size=2>Anyway, I'm glad to be back blogging, I had some permissions and user account problems blocking me.&nbsp; </FONT></P><img src="http://blogs.iis.net/aggbug.aspx?PostID=1348277" width="1" height="1">IIS6SecurityASP