back to article Microsoft to patch ASP.NET mess even if you don't

Microsoft has taken the final step in sunsetting a dangerous server setting, announcing that all future versions of ASP.NET will enforce the deprecation of EnableViewStateMac=“false”. Since December 2013, when this security advisory landed, Redmond has warned sysadmins that the setting had a privilege escalation vulnerability …

  1. Tzhx

    So, does this mean that even if you don't install the updates on your server, this will still happen?

    Not that I use this feature, but it sets a worrying precedent and nightmare for giving any sort of low-cost long-term support for "complete" projects if Redmond will just deprecate things as security holes are found in them.

    1. JDX Gold badge

      How exactly do you envisage MS changing the behaviour on your server if you don't install the update?

      1. Tzhx

        Well, the article title says MS will do it even if we won't, and they allegedly have previous for updating some things without the users permission.

        Also, my concern was more along the lines of, in most places there is a difference between the person developing the application and the person managing the server. In shops where products last five, six, seven years and staff typically don't last that long, there's no way for a server owner to know what a patch might just disable / break under the broad "security fixes" heading without having knowledge of the code for all the products in their care -- which while it may be ideal is an unrealistic expectation to have.

      2. Anonymous Dutch Coward

        MS changing your server behinder your back?

        "How exactly do you envisage MS changing the behaviour on your server if you don't install the update?"

        Easy. They'll use the NSA/FSB/Chinese State Security backdoor of course...

        1. Solmyr ibn Wali Barad

          Re: MS changing your server behinder your back?

          They're doing it via their new and wonderful invention: Quantum Entanglement (®, TM, pat. pend). If they enable the flag on their server, it gets disabled on yours. Large scale deployments are also possible - in order to disable it in our universe, it has to be enabled in the parallel universe, where, as an added bonus, it might actually work well.

          There is a downside, though. Every time the switch is flipped, a cute cat with a German-sounding name will be either dead or alive.

          /the one with QT for Dummies in the pocket, thank you/

  2. Anonymous Bullard

    Cross-site request forgery has been in the OWASP top 10 for some time.

    The fact that Microsoft has to hand-hold my fellow ASP.NET developers like this shows how inept the bulk of them are.

  3. John P

    MS have been warning for years that this would be removed, admitting that it was a stupid idea to add the setting in the first place. Plenty of warning has been given and no one in their right minds should have this set to false anyway.

    1. Anonymous Coward
      Anonymous Coward

      There's nothing wrong with it being an option (for the very few who know what they're doing), but they should have set it to a secure default from the start.

      1. DavidRa

        AC: It _was_ set to the secure setting by default! MS are admitting they never should have allowed the mentally incompetent to de-secure it.

        And there's no valid reason for it to be an option. Learn to do servers securely (both devs and admins) or not at all, and just bloody deal with it properly. About the only thing left to do is scour stackexchange / serverexchange for all references to it, and down-vote to hell any answer which says to set the option.

        1. Anonymous Coward
          Anonymous Coward

          "It _was_ set to the secure setting by default"

          Oh!! And here was me explicitly setting it in the web.config - talk about incompetence... ah well, no harm done.

          But.. wow.. people are actually making an effort to disable it? That's even worse!

  4. Erik4872

    Expect more of this soon

    Microsoft's commitment to rapid product releases and bundling security patches with behavior changes is going to assure that we have these problems more frequently. In The Real World, it's not uncommon for an "enterprisey" business system to be deployed that takes advantages of certain "features" in an OS, browser, etc. Said system is usually one-off, costs tons of money to replace or fix, and can't easily be extracted from day to day business operations. Yes, running something like IE 6 or unpatched JRE 1.4 is awful, but sometimes it's necessary. The consultants who build said systems are already long gone and often demand huge sums when they are called back to update these kinds of applications.

    I'm hoping that if Microsoft stops releasing discrete "versions" of their products, as they're rumored to be considering, they'll at least do a Long Term Stable branch like some of the Linux distributions do. That LTS branch can have the old patch framework -- patches are patches and feature updates are optional.

    We're currently dealing with this fun combined feature/patch...identifying and fixing this on a universal basis for everyone in our organization is going to be fun.

  5. Shannon Jacobs

    Not related to this week's BSoD, I presume?

    So did anyone else notice a BSoD in conjunction with this week's Microsoft Update? Just asking, even though the machine seemed okay on the reboot...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like