Microsoft has taken the final step in sunsetting a dangerous server setting, announcing that all future versions of ASP.NET will enforce the deprecation of EnableViewStateMac=“false”.
Since December 2013, when this security advisory landed, Redmond has warned sysadmins that the setting had a privilege escalation vulnerability. At that time, Microsoft warned that disabling Message Authentication Code (MAC) validation would allow an attacker to use crafted HTTP code to inject code into the ASP.NET server.
That was addressed in ASP.NET 4.5.2 and in an optional patch for customers who needed to fix the setting before that version of the code shipped.
Now, in a notice published on September 9, Microsoft says the previously optional patch will henceforth be enforced for all versions of ASP.NET.
“If you are running the ASP.NET framework on your machine, this behavior will be picked up automatically the next time you check for updates,” the notice states. While it's likely to break installations still using EnableViewStateMac=“false”, Microsoft says “we felt it necessary to address this issue head-on due to the prevalence of misinformation regarding this switch and the number of customers who are running with it set to an insecure setting.”
Microsoft's post says most developers using the insecure setting did so to support cross-page posts on their sites. The scenario most likely to break when EnableViewStateMac=“false” is disabled is where designers were avoiding synchronising the <machineKey> setting in a Web farm. ®