Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Symptoms

A vulnerability has been identified in ASP.NET that affects the following version of Microsoft Dynamics CRM:

Microsoft Dynamics CRM 3.0

Microsoft Dynamics CRM 3.0 CHS (Chinese - PRC) and JPN (Japanese - Japan)

Microsoft Dynamics CRM 3.0 SPE (Service Provider Edition)

Microsoft Dynamics CRM 4.0

Microsoft Dynamics CRM 2011 Beta

This vulnerability is discussed in Microsoft Security Advisory (2416728

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Resolution

In order to address the ASP.NET Security Advisory (2416728), install the ASP.NET patches from here. The patch may ask you to restart your box.

Microsoft Dynamics CRM had released hot fixes to be applied around ASP.NET workarounds for Microsoft Security Advisory 2416728. Those updates no longer apply and have been removed from the Microsoft download center. 

NOTE: If you have previously applied the security hotfix released by Dynamics CRM for security advisory 2416728, then you will need to follow the steps mentioned below. 

How to check if Dynamics CRM hotfix is installed?

Connect to your CRM server as local administrator. Click on Start, click Control Panel and then click Program and Features. Click View Installed Updates in the left navigation bar and check if a patch beginning with CRMv4.0-KB2421203 is installed.  

Steps to remove the Dynamic CRM hotfix:

Step 1: In order to address the ASP.NET Security Advisory (2416728), install the ASP.NET patches from here. The patch may ask you to restart your box.

Step 2: Uninstall the Dynamic CRM patches. To do so, connect to your CRM server as local administrator. Click on Start, click Control Panel and then click Program and Features. Click View Installed Updates in the left navigation bar. Select the patches with the name beginning with CRMv4.0-KB2421203 and click Uninstall.

Step 3: Restart your server.

Step 4: Navigate to the webroot folder of your CRM application:
 <drive:>\inetpub\wwwroot\web.config. 

Search for customErrors node. If you find the following line, remove this line from web.config and save the file:

<customErrors mode=”On” defaultRedirect=”~/error2.aspx”>

Step 5: Navigate to help folder under the webroot folder of your CRM application:

 <drive:>\inetpub\wwwroot\help\web.config and repeat Step 4.

Step 6: Verify that there is no error2.aspx existing under the following locations:

<drive:>\inetpub\wwwroot\

 or  <drive:>\inetpub\wwwroot\help\

More Information

The update released along with Security Update for Microsoft Dynamics CRM (KB 2421203) were hotfixes over and above the ASP.NET workaround. Ensure to remove the Dynamics CRM hotfix after the ASP.NET patch is applied. Dynamics CRM hotfix (2421203) is not intended as a permanent fix.


Prerequisites to install the software update:

Microsoft Dynamics CRM 3.0 Server Update Rollup 3

Microsoft Dynamics CRM 3.0 Server (Japanese and Chinese) Update Rollup 2

Microsoft Dynamics CRM 3.0 Service Provider Edition Server Update Rollup 2

Microsoft Dynamics CRM 4.0 Server Update Rollup 13

Microsoft Dynamics CRM 2011 Server

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×