A vulnerability has been identified in ASP.NET that affects the following version of Microsoft Dynamics CRM:
Microsoft Dynamics CRM 3.0
Microsoft Dynamics CRM 3.0 CHS (Chinese - PRC) and JPN (Japanese - Japan)
Microsoft Dynamics CRM 3.0 SPE (Service Provider Edition)
Microsoft Dynamics CRM 4.0
Microsoft Dynamics CRM 2011 Beta
This vulnerability is discussed in Microsoft Security Advisory (2416728)
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
In order to address the ASP.NET Security Advisory (2416728), install the ASP.NET patches from here. The patch may ask you to restart your box.
Microsoft Dynamics CRM had released hot fixes to be applied around ASP.NET workarounds for Microsoft Security Advisory 2416728. Those updates no longer apply and have been removed from the Microsoft download center.
NOTE: If you have previously applied the security hotfix released by Dynamics CRM for security advisory 2416728, then you will need to follow the steps mentioned below.
How to check if Dynamics CRM hotfix is installed?
Connect to your CRM server as local administrator. Click on Start, click Control Panel and then click Program and Features. Click View Installed Updates in the left navigation bar and check if a patch beginning with CRMv4.0-KB2421203 is installed.
Steps to remove the Dynamic CRM hotfix:
Step 1: In order to address the ASP.NET Security Advisory (2416728), install the ASP.NET patches from here. The patch may ask you to restart your box.
Step 2: Uninstall the Dynamic CRM patches. To do so, connect to your CRM server as local administrator. Click on Start, click Control Panel and then click Program and Features. Click View Installed Updates in the left navigation bar. Select the patches with the name beginning with CRMv4.0-KB2421203 and click Uninstall.
Step 3: Restart your server.
Step 4: Navigate to the webroot folder of your CRM application: <drive:>\inetpub\wwwroot\web.config.
Search for customErrors node. If you find the following line, remove this line from web.config and save the file:
Step 5: Navigate to help folder under the webroot folder of your CRM application:
<drive:>\inetpub\wwwroot\help\web.config and repeat Step 4.
Step 6: Verify that there is no error2.aspx existing under the following locations:
The update released along with Security Update for Microsoft Dynamics CRM (KB 2421203) were hotfixes over and above the ASP.NET workaround. Ensure to remove the Dynamics CRM hotfix after the ASP.NET patch is applied. Dynamics CRM hotfix (2421203) is not intended as a permanent fix.
Prerequisites to install the software update:
Microsoft Dynamics CRM 3.0 Server Update Rollup 3
Microsoft Dynamics CRM 3.0 Server (Japanese and Chinese) Update Rollup 2
Microsoft Dynamics CRM 3.0 Service Provider Edition Server Update Rollup 2
Microsoft Dynamics CRM 4.0 Server Update Rollup 13
Microsoft Dynamics CRM 2011 Server