I’ve been wanting to write this earlier today but it was a typical busy Monday. It’s about the recently published vulnerability in ASP.NET. I was looking at my twitter feeds this past Sunday to see what people I’m following are up to. I came across Tom Resing’s tweet about Security Advisory 2416728. The advisory came out Friday night (September 17) but I didn’t read about it till yesterday. I looked into it and was troubled by what was described in the article. In the article, it says;
At this time we are not aware of any attacks using this vulnerability and we encourage customers to review the advisory for mitigations and workarounds.
Oh yeah, add the fact that the article starts with:
Today we released Security Advisory 2416728 describing a publicly disclosed vulnerability in ASP.NET that affects all versions of the .NET Framework.
If those lines don’t get your attention, I don’t know what will!
A detection script was made available also at the TechNet article “Understanding the ASP.NET Vulnerability”. The script is ran as a VBScript and will report all Web app configurations that are vulnerable. If your apps are not vulnerable, the script will report “OK” on the app. The report looks like the following:
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Enumerating possible paths with ASP.Net configuration that have custom errors turned off.
C:\inetpub\wwwroot\web.config: ** Vulnerable configuration found **
C:\Inetpub\wwwroot\TestApp1\web.config: ** Vulnerable configuration found **
C:\Inetpub\wwwroot\wss\VirtualDirectories\2639\wpresources\web.config: ** Vulnerable configuration found **
C:\Inetpub\wwwroot\wss\VirtualDirectories\4444\web.config: ** Vulnerable configuration found **
If your app shows “Vulnerable configuration found”, then the Security Advisory is applicable for that app. You want to see “ok” like in the last line of the example above.
The vulnerability is called “Padding Oracle Exploit”. The attacker will attempt to send tampered data to the web server and the web server will generate error messages. As more error codes get returned to the attacker for the tampered requests, the attacker can learn what the encryption is. Once the encryption is compromised, the exploit beings. This vulnerability will allow an attacker to read data, even encrypted ones such as data stored in the View State, and even download files such as the web.config file from the target server. (But requests for web.config files cannot be served by IIS, right???) Scott Guthrie explains in his blog how this vulnerability works. Scott also explains how to workaround this issue. Before a patch or security update appears, this is the best tool against the exploit provided by Microsoft.
You say “But I never store sensitive information in the View State!” Well, read on. In the Microsoft TechNet Security Advisory (and even Scott’s blog post), the workaround’s main theme is homogenizing the error page. The TechNet security advisory says “Homogenizing errors is a crucial component to help protect against this attack.” This means turning customErrors to “On” and explicitly specifying the defaultRedirect page. For full details, please read Scott Guthrie’s blog post.
Now, you might say, this is just another over-hyped, exaggerated propaganda by the Microsoft haters. Well you can throw that argument out the window since it is Microsoft itself that is telling its customers about the vulnerability. There is also a Common Vulnerabilities and Exposure entry for this. The CVE entry says it just has a “candidate” status on it right now and may even be “rejected in the future”. Is that grounds for ignoring it because it’s just a “candidate” CVE entry? Is it really worth ignoring because the probability and severity of the exploit has not been fully established yet? For public-facing sites, I recommend you implement the workaround as soon as possible. The workaround is fairly cheap to implement—just do it! There will be many apps that will be fine and no workarounds would be necessary (their customErrors configuration is already protected against this exploit). But if the detection tool above says “vulnerable” on your site, and the site is public facing, all I can say is “Wow!” should you decide to ignore it.
I am in the process of getting up to speed with the new Visual Studio 2010 IDE and how it can be used to develop custom SharePoint 2010 solutions.
It’s so easy to do a “Hello World” Web part project now. These days, my Hello World projects typically involve opening up a database table and displaying records in a table. I was able to do this with minimal coding and got it up and running—a full blown Web part—in under 15 minutes!
I created a sample project that opens up the AdventureWorks database and displays employee records in a table:
Sample Visual Web Part Project using Adventure Works Database
The Web-part looks like the following when used inside SharePoint:
AdventureWorks Employees Web Part So far, I like it!Here are my first impressions:SharePoint project templates come out-of-the-box install of VS 2010. After installing VS 2010, the SharePoint project templates are ready for use. No need to do installations of VS-extensions.SharePoint Project Templates in Visual Studio 2010
- The Visual Web Part project cannot be deployed as a “sandboxed solution”. It has to be deployed as a farm solution.
- Project-debugging became a lot easier even with a full-blow farm-deployment. Press F5 in the VS 2010 IDE and Visual Studio will build, package, deploy, and activate your feature, and launch the debug-browser all in one click! When you’re done debugging, terminate Internet Explorer, Visual Studio will deactivate and retract the solution out of SharePoint.
- IIS-reset (for the target Web app) even for full-blown deployments when debugging is fast!
- Remember in VSeWSS 1.3 where you had to Google first how to specify the group the Web part appears in because it wasn’t so obvious? Well, it got easier in VS 2010! Now, the Elements.xml file has a place-holder for the Web-part group. All you have to do, is change it from “Custom” to whatever value you want it to be. It’s so visible now you can’t miss it.
Web-Part Group Place-Holder in Elements.xml File
- You can now add Web User Controls (ASCX files) into the project! As a matter of fact, the project template adds one ASCX file for you. This just made Web Part development a HECK of a lot easier! This is HUGE! Back in VS 2008 developing SharePoint 2007 Web parts, there were no designers available. If developers wanted to use ASCX files, they had to create regular ASP.NET Web apps, design the ASCX files there, write the code-behind, compile the project so the code-behind logic gets packaged with the ASCX files, deploy the ASCX files to UserControls folder within the SharePoint virtual Web app folder, deploy and enable Smart Part, add a Smart Part Web part to the SharePoint pages, then finally, hook-up the Smart Part to the ASCX files. Whew!!! Talk about LOTS of steps! In VS 2010, you don’t need Smart Part or that lengthy way to integrate ASCX file in SharePoint anymore. The challenge of “imagining” what your Web part will look like as you write your C# code is no more. The designer is built in to the Visual Web Part project. Leverage your ASP.NET skills to the max.
- Despite all the improvements, Web part development veterans should recognize familiar concepts and project files such as Elements.xml, .webpart file, strong-named key file, packages and features.
I have many ASP.NET developer friends who didn’t want to get into SharePoint development because:
- The Web part project wasn’t easy in SharePoint 2007. No designers, hard to design a visual element.
- ASP.NET developers got accustomed to easy debugging of their projects by simply pressing F5 key or the play button on the IDE toolbar. In 2007, ASP.NET developers thought deploying the app and then attaching to the w3wp.exe process (multiple manual steps, not one) was too cumbersome.
- It took forever to even debug the code because the SharePoint Web app always recycled on deployments.
If you are an ASP.NET developer contemplating if you should try SharePoint development, I highly recommend you try it NOW! SharePoint 2010 development feels like traditional ASP.NET development more than ever!
If you are a .NET developer and if you happen to also have a Mac environment, I highly recommend that you learn iPhone development. Why? Read on.
I purchased a Macbook Pro a week ago and started coding an app within the first 2 hours of getting home! I tell you what, I’ve been a PC for a long, long time and a first-time Mac owner. This Macbook Pro Unibody plus the Snow Leopard OS is a really one sweet device. Am I done with PC laptops? Nope–I’m just waiting for the HP Envy 14 series to come out–16Gb RAM config with newest iCore 7 chip plus SSD drives–that’s going to be my configuration for SharePoint 2010 mobile development. Anyway, back to the Macbook. So, I started coding my first night owning the Mac. I saw some samples on the Web and started coding iPhone apps. Holy-moly! I saw and typed keywords that I haven’t used since college (I think)–the malloc and dealloc commands/keywords!!! I dreaded those things as a young programmer. Memory leaks, buffer overruns–yep, I got burned many times when I was starting out and I didn’t allocate/deallocate memory properly in my programs.
So, what does iPhone development got to do with .NET development? Well, technology-wise, they are different worlds. XCode uses Objective-C while .NET (mostly) uses C#. They’re kind of like distant cousins; they’re similar in some ways but different in many ways. No, I’m not recommending you abandon .NET and totally convert to XCode. I’m recommending that you try iPhone development because it will bring you back to fundamentally sound programming practices. As a developer, I felt like it brought me back to my roots. Developers need to be mindful of performance and memory use when developing for the iPhone. In XCode and .NET, there are garbage collectors. Developers don’t worry about memory-allocation thanks to the garbage-collectors. iPhone apps don’t have garbage-collectors. Also, device memory is limited on the iPhone. No gigs of RAM. No swap files. Should you try iPhone development, you will see malloc and dealloc again and you will be constantly asking yourself “maybe I should clean-up stuff in memory and make room for new objects”. If you’ve never seen malloc and dealloc, we’ll I hope it’s a fun experience discovering for the first time what it’s like to develop where you are constrained by limited memory.
.NET developer with a Mac: go try iPhone development. If anything, because you’re forced to think limited CPU cycles and limited memory, it should improve your overall programming skills!