MS05-004: ASP.NET Path Validation Vulnerability Could Allow Unauthorized Access

Article ID : 887219
Last Review : June 14, 2005
Revision : 3.0

Technical updates

June 14, 2005:
After the release of this bulletin, it was determined that the update for the Microsoft .NET Framework 1.0 Service Pack 3 for the Microsoft Windows XP Tablet PC Edition operating system and the Microsoft Windows XP Media Center Edition operating system were failing to install when the update was distributed via SMS or AutoUpdate. The updated package corrects this behavior.

Microsoft has released security bulletin MS05-004. The security bulletin contains all the relevant information about the security update, including file manifest information and deployment options. To view the complete security bulletin, visit the following Microsoft Web site:

Home users:
http://www.microsoft.com/security/bulletins/200502_windows.mspx (http://www.microsoft.com/security/bulletins/200502_windows.mspx)
IT professionals:
http://www.microsoft.com/technet/security/bulletin/ms05-004.mspx (http://www.microsoft.com/technet/security/bulletin/ms05-004.mspx)

For additional information about the ASP.NET performance impact after you install security update MS05-004, click the following article numbers to view the articles in the Microsoft Knowledge Base:

891829 (http://support.microsoft.com/kb/891829/) ASP.NET performance may be affected after you install security update MS05-004

894670 (http://support.microsoft.com/kb/894670/) You may receive error messages when you browse or you debug an ASP.NET application after you install security update 887219 (MS05-004)

For additional information about how to troubleshoot Microsoft .NET Framework 1.1 installation issues, click the following article number to view the article in the Microsoft Knowledge Base:

824643 (http://support.microsoft.com/kb/824643/) How to troubleshoot Microsoft .NET Framework 1.1 installation issues

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

268800 (http://support.microsoft.com/kb/268800/) Windows Installer must have original source files when you apply a patch

For additional information about an HTTP module to check for canonicalization issues with ASP.NET, click the following article number to view the article in the Microsoft Knowledge Base:

887289 (http://support.microsoft.com/kb/887289/) HTTP module to check for canonicalization issues with ASP.NET

For additional information about how to use the ASP.NET ValidatePath Module Scanner, click the following article number to view the article in the Microsoft Knowledge Base:

887290 (http://support.microsoft.com/kb/887290/) How to use the ASP.NET ValidatePath Module Scanner (VPModuleScanner.js)

MORE INFORMATION

The MS05-004 security update that you install depends of the configuration of your computer. The following is a list of the different MS05-004 updates by operating system:

Security update 886906

Security update 886906 is for the Microsoft .NET Framework 1.0 Service Pack 3 for the following operating systems:

Microsoft Windows 2000 Service Pack 3 or Windows 2000 Service Pack 4
Windows XP Service Pack 1 or Windows XP Service Pack 2
Windows Server 2003

Security update 887998

Security update 887998 is for the .NET Framework 1.0 Service Pack 3 for the following operating systems:
Windows XP Tablet PC Edition
Windows XP Media Center Edition

Security update 886905

Security update 886905 is for the .NET Framework 1.0 Service Pack 2 for the following operating systems:
Windows 2000 Service Pack 3 or Windows 2000 Service Pack 4
Windows XP Service Pack 1 or Windows XP Service Pack 2
Windows Server 2003

Security update 887999

Security update 887999 is for the .NET Framework 1.0 Service Pack 2 for the following operating systems:
Windows XP Tablet PC Edition
Windows XP Media Center Edition

Security update 886903

Security update 886903 is for the .NET Framework 1.1 Service Pack 1 for the following operating systems:
Windows 2000 Service Pack 3 or Windows 2000 Service Pack 4
Windows XP Service Pack 1 or Windows XP Service Pack 2
Windows XP Tablet PC Edition
Windows XP Media Center Edition
Windows Server 2003

Security update 886904

Security update 886904 is for the .NET Framework 1.1 for the following operating systems:
Windows 2000 Service Pack 3 or Windows 2000 Service Pack 4
Windows XP Service Pack 1 or Windows XP Service Pack 2
Windows XP Tablet PC Edition
Windows XP Media Center Edition
Windows Server 2003
APPLIES TO
Microsoft .NET Framework 1.0 Service Pack 2
Microsoft .NET Framework 1.0 Service Pack 3
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Service Pack 1 (SP1)
Keywords: 
 kbfix kbbug kbsecvulnerability kbsecurity kbsecbulletin KB887219
James K. Murray (MCSA, MCSD)
President
A. M. Software Services, Inc.
347.247.6680
JamesMurray@AMSoftwareServices.com
http://www.amsoftwareservices.net