ASP.NET September Patch Fixes a Final Bug and Says Farewell to EnableViewStateMac

So far there's been very little fallout reported from the release of Microsoft's September updates, but we're early into the week. However, there is one important change in the way ASP.NET functions that you should be aware of, and depending on your configuration, could have a major impact.

Originally released in December 2013 as KB2905247, Microsoft started making changes in the way EnableViewStateMac works. Citing potentially dangerous security repercussions, setting EnableViewStateMac to false in your web applications could allow attackers to upload and execute hazardous code, giving full rights to the web server.

In December, Microsoft started warning about this issue, but delayed making the change permanent in hopes that customers would take notice and have enough time to fix their web applications. Now, 9 months later, Microsoft has rereleased 2905247. If you never touched the EnableViewStateMac property or have it set to true, you have nothing to worry about. The true setting is the default. However, if you modified the setting, this update will cause definitely problems and your web applications will need to be reviewed and changed.

The updated 2905247 also fixes a bug in the Page.IsPostBack property that was introduced in the December version. Note that this new update affects ASP.NET versions 1.1 through 4.5.1. ASP.NET 4.5.2 or later already has the patch built in.

Microsoft has provided details and a FAQ section in a blog post: Farewell, EnableViewStateMac!