Time to Say Goodbye to EnableViewStateMac

In December 2013, Microsoft released a security advisory warning and stated that configuration setting EnableViewStateMac=false is dangerous and could allow an elevation of privilege attack against the web site. This advisory then followed by the security patch KB 2905247 which was optional. But, in September 2014 security update, Microsoft finally has enforced the farewell to EnableViewStateMac for all versions of the ASP.NET framework. Microsoft .NET Framework updates comes with the Windows updates and this patch would affect when you install latest Windows updates.

What does it mean?

All version of the ASP.NET runtime 1.1 – 4.5.2 now forbid setting

<pages enableViewStateMac=”false”/>and <%@ Page EnableViewStateMac=”false” %>

So, if you have set EnableViewStateMac=”false” anywhere in your application, your application will be affected by this change. If you are running the ASP.NET framework on your machine, this behavior will be picked up automatically the next time you check for updates.

So, what is ‘View state MAC’?

View State is a hidden form field where .NET framework stores encoded form data for lookup in the subsequent request post backs to the same page. MAC stands for message authentication code, which is a cryptographic code generated by the server and appended to _VIEWSTATE hidden form field (The view state of a page is, by default, placed in a hidden form field named __VIEWSTATE). The MAC ensures that the client hasn’t tempered with these fields (_VIEWSTATE).

Okay, but why is EnableViewStateMac=”false” dangerous?

If EnableViewStateMac is enabled, the .NET framework computes MAC and stores it in a hidden viewStateMac field of the response. When the request is posted back from the client, the .NET framework computes the MAC of the viewstate and verifies that it with the same value as seen in the hidden viewStateMac field in the request. If the two values do not match, .NET raises an error “Validation of viewstate MAC failed”. Enabling this option prevents attackers from tampering the viewState data.

Microsoft is forbidding it because it is never safe to set EnableViewStateMac=”false”. Your web site is open to remote code execution attack. An attacker may be able to leverage this setting to upload and execute arbitrary code on the web server. This would grant attacker complete control over the web application subject to the permissions of the web worker process.

Will this patch break my application?

If you have set EnableViewStateMac=”false” anywhere in your application, this change will affect you. If the reason the MAC was disabled was to enable cross-page posts (when one page is posted to another page), the application will generally continue to work correctly. If the reason the MAC was disabled was to avoid synchronizing the <machineKey> setting in a web farm, the application will probably break.

If you are using EnableViewStateMac=”true” throughout your application, this change will not affect you. If you never touch the EnableViewStateMac switch at all in your application, this change will not affect you, as the default value for this setting is true.

Ending note:

As I wrap up this blog post let me try and answer to you one of the most important questions that you might be thinking right now.

What are the major behavioral changes you will witness after applying this patch?

A minor change in behavior of web forms has occurred due to this patch, but it is not a breaking change. So, now if a _VIEWSTATE field is written to the response, now it will be accompanied by the new <input type=”hidden” name=”__VIEWSTATEGENERATOR” … /> field. This new form field is used by the ASP.NET runtime to determine whether a postback is going to same page or cross-page. It is similar in concept to the _PREVIOUSPAGE form field that is written when a control’s PostBackUrl property is set.

Mohit Kumar

Mohit Kumar

Technical Lead

Mohit Kumar is working as Tech Lead at 3Pillar Global. He brings with him over 9 years of industry experience and has experience in programming on various platforms i.e. Web, Windows, and Mobile. He is a Microsoft Certified Technology Specialist in .Net framework, Web applications and WCF. Mohit has Master’s degree in computer applications from Sikkim Manipal University.

Leave a Reply

Related Posts

The 3 Keys to Building Products That Drive Retention –... I had the privilege of being invited to speak at the Wearable Technology Show in Santa Clara this week, where I gave a bit of a reprisal of a talk I d...
High Availability and Automatic Failover in Hadoop Hadoop in Brief Hadoop is one of the most popular sets of big data processing technologies/frameworks in use today. From Adobe and eBay to Facebook a...
3Pillar CEO David DeWolf Quoted in Enterprise Mobility Excha... David DeWolf, Founder and CEO of 3Pillar Global, was recently quoted in a report by Enterprise Mobility Exchange on the necessity of understanding and...
How the Right Tech Stack Fuels Innovation – The Innova... On this episode of The Innovation Engine podcast, we take a look at how choosing the right tech stack can fuel innovation in your company. We'll talk ...
The Road to AWS re:Invent 2018 – Weekly Predictions, P... For the last two weeks, I’ve been making predictions of what might be announced at AWS’ upcoming re:Invent conference. In week 1, I made some guesses ...