Big Security Hole for SharePoint Servers

You may have already read this somewhere out there, it is making the rounds across the Twitter-phere, blogs, and news. But I felt it would be important to post, or I should say re-post the issue.

Executive Summary from Vulnerability in ASP.NET Could Allow Information Disclosure (http://www.microsoft.com/technet/security/advisory/2416728.mspx)

Microsoft is investigating a new public report of a vulnerability in ASP.NET. An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config. This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server. Microsoft is aware of limited, active attacks at this time. We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Scott Guthrie has an excellent post up regarding this vulnerability at http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx. As normal, he has gone through with code snippets to explain the issue and what you can due to protect your systems.

Good luck keeping your systems safe!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s