Saturday, September 25, 2010

A bit of a worry-- ASP.NET vulnerability and SharePoint

A security advisory has been released concerning a known ASP.NET security issue and the danger it can pose for those of us who have SharePoint deployed (which uses ASP.NET, and therefore can be compromised).

The problem, in an oversimplified example, is that due to this vulnerability, an attacker can send information (cipher text) to the server, and see if it was decrypted correctly based on the error messages that are returned, until they know that they can get in and get private info.

Microsoft does not yet have a fix for this issue, and if you are worried (say, if your SharePoint implementation is internet facing), they offer some workarounds until they do have an official hotfix or patch you can download.

The workaround is detailed at: http://blogs.msdn.com/b/sharepoint/archive/2010/09/21/security-advisory-2416728-vulnerability-in-asp-net-and-sharepoint.aspx

The official (and not super helpful) security advisory is at: http://www.microsoft.com/technet/security/advisory/2416728.mspx

A blog by someone named Scott Guthrie, who seems to be super knowledgeable about this security issue, has two entries concerning it:

The first, as of Sept. 19 is: http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

The follow up, Sept. 24, is: http://weblogs.asp.net/scottgu/archive/2010/09/24/update-on-asp-net-vulnerability.aspx

My environment, right now, is completely isolated, so I am going to hold off messing with the settings until I finally finish creating new material for the book. But I wanted to let you all know about the issue now, in case it compromised your environment.

No comments: