Software giant Microsoft has had enough of a suicide server setting in ASP.NET which too few sysadmins can be bothered disabling.
Microsoft said that all future versions of ASP.NET will enforce the deprecation of EnableViewStateMac=“false”. This was in a security advisory in December 2013, when Redmond has warned the setting had a privilege escalation vulnerability. Microsoft warned that disabling Message Authentication Code (MAC) validation would allow an attacker to use crafted HTTP code to inject code into the ASP.NET server.
Microsoft fixed that problem in ASP.NET 4.5.2 and in an optional patch for customers. Now, in a notice published on September 9, Microsoft says the previously optional patch will henceforth be enforced for all versions of ASP.NET.
“If you are running the ASP.NET framework on your machine, this behaviour will be picked up automatically the next time you check for updates.”
However it is likely to break installations still using EnableViewStateMac=“false”, but Microsoft said it was necessary to address this issue head-on due to the prevalence of misinformation regarding this switch and the number of customers who are running with it set to an insecure setting.
Most developers using the insecure setting did so to support cross-page posts on their sites. The scenario most likely to break when EnableViewStateMac=“false” is disabled is where designers were avoiding synchronising the <machineKey> setting in a Web farm.
You can read the advisory here