Microsoft released two IIS-related updates in this month's batch of security patches. The first involves ASP, and the second ASP.NET. Both are listed as Important. What are the actual risks and vulnerability details though?

ASP.NET The ASP.NET patch (MS 06-033) deal with a potential Information Disclosure risk. In ASP.NET v2 a special folder called app_data is used to hold a number of web application specific files. All files used natively by ASP.NET and Visual Studio have their extensions already mapped to the System.Web.HttpForbiddenHandler HTTP handler, and will not be served.

However if you create a file with a custom file extension, and place it into the app_data folder, a user may be able to download this file if they know, or can guess the name. If you are using IIS 6.0, then you also have to have a MIME type defined for that custom file extension, as IIS 6.0 does not serve files with no defined MIME type.

So you are only at risk here if you create files with custom file extensions or you have changed the default configuration of ASP.NET to allow requests to file types that ASP.NET or Visual Studio use.

The following file types are (by default) blocked: *.asax, *.ascx, *.master, *.skin, *.browser, *.sitemap, *.config (but not *.exe.config or *.dll.config), *.cs, *.csproj, *.vb, *.vbproj, *.webinfo, *.licx, *.resx, *.resources, *.mdb, *.vjsproj, *.java, *.dd, *.jsl, *.ldb, *.ad, *.ldd, *.sd, *.cd, *.adprototype, *.lddprototype, *.sdm, *.sdmDocument, *.mdf, *.ldf, *.exclude, *.refresh

ASP The ASP flaw (MS06-034) allows an attacker to execute code under the process identity of the process hosting the ASP page. On IIS 6.0, by default, this is Network Service. On IIS 5.0, by default, this is IWAM_. However it may be LocalSystem if you have changed the default worker process user account in IIS 6.0, or are using Low process isolation in IIS 5.0.

However to exploit this vulnerability, an attacker must be able to get a malicious ASP page onto your server (just requesting an existing, safe, ASP page is not sufficient), and make a request to this malicious page. So, if you are a hosting company and must allow clients to upload pages to their sites, you are at risk. However if you are running a site where external users are not able to get their own ASP pages onto your server, then you do not appear to be at risk at this stage.