Microsoft drops dangerous ASP.NET setting

Microsoft will from now on enforce an ASP.NET security configuration setting almost a year after warning that disabling it is dangerous as it gives attackers free run of web sites.

The setting in question is called EnableViewStateMac. Microsoft now said it will not allow this to be set to FALSE as it is never safe to do so.

Consultant Neill Reid of Microsoft partner firm Cyberstate Ltd explained that the idea behind viewstate is to use a coded string of data appended to webpage links, to allow for variables for databases to persist across pages.

The message authentication code or MAC is a security feature used to verify that the variables and other data are what they purport to be, Reid said. If the MAC is set to False, servers will not attempt to authenticate variables, and instead takes them at face value. Being able to set MAC to False was permitted by Microsoft as a quick hack to allow some scenarios such as transferring requests between machines that have different cryptographic keys.

“This could lead to all sorts of problems, such as the old SQL injection attack “OR 1=1”, Reid said.

“As an example, an online auction site using Microsoft’s ASPX framework without the MAC turned on could in theory allow users with the knowledge of how to manipulate the viewstate insert lower bids than the current one,” Reid said.

“They could even delete higher bids and win auctions that way,” he added.

“It seems that allowing MAC to be set to false was a very kludgy workaround that wasn’t fully thought through.”

According to the Microsoft Developer Network article, any ASP.NET based website with EnableViewStateMac set to false will be open to remote code execution attacks.

MAC in this context stands for message authentication code, which is a cryptographic code generated by the server and appended to the __VIEWSTATE hidden form field. The MAC ensures that the client hasn't tampered with these fields.

When EnableViewStateMac is set to true, this code is validated by the server when the client submits the __VIEWSTATE hidden form field during post back. This setting has been enabled (true) by default for all versions of ASP.NET - Microsoft

Microsoft said that the change could affect many web applications. Nevertheless, the company said it was necessary to change the setting to prevent customers from running ASP.NET insecurely.

The advice counters older bulletins that said web applications could in some cases get away with EnableViewStateMac being set to false.

"The original guidance was bad: this setting is categorically insecure, and this setting doesn't improve performance. We have since corrected this guidance, but the damage was done. There was a very large number of ASP.NET web sites which ran with this insecure setting," Microsoft said.