I’ve been wanting to write this earlier today but it was a typical busy Monday. It’s about the recently published vulnerability in ASP.NET. I was looking at my twitter feeds this past Sunday to see what people I’m following are up to. I came across Tom Resing’s tweet about Security Advisory 2416728. The advisory came out Friday night (September 17) but I didn’t read about it till yesterday. I looked into it and was troubled by what was described in the article. In the article, it says;

At this time we are not aware of any attacks using this vulnerability and we encourage customers to review the advisory for mitigations and workarounds.

Oh yeah, add the fact that the article starts with:

Today we released Security Advisory 2416728 describing a publicly disclosed vulnerability in ASP.NET that affects all versions of the .NET Framework.

If those lines don’t get your attention, I don’t know what will!

A detection script was made available also at the TechNet article “Understanding the ASP.NET Vulnerability”. The script is ran as a VBScript and will report all Web app configurations that are vulnerable. If your apps are not vulnerable, the script will report “OK” on the app. The report looks like the following:

Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Enumerating possible paths with ASP.Net configuration that have custom errors turned off.

C:\inetpub\wwwroot\web.config: ** Vulnerable configuration found **
C:\Inetpub\wwwroot\TestApp1\web.config: ** Vulnerable configuration found **
C:\Inetpub\wwwroot\wss\VirtualDirectories\2639\wpresources\web.config: ** Vulnerable configuration found **
C:\Inetpub\wwwroot\wss\VirtualDirectories\4444\web.config: ** Vulnerable configuration found **
C:\Inetpub\wwwroot\TestApp2\web.config: ok

If your app shows “Vulnerable configuration found”, then the Security Advisory is applicable for that app. You want to see “ok” like in the last line of the example above.

The vulnerability is called “Padding Oracle Exploit”. The attacker will attempt to send tampered data to the web server and the web server will generate error messages. As more error codes get returned to the attacker for the tampered requests, the attacker can learn what the encryption is. Once the encryption is compromised, the exploit beings. This vulnerability will allow an attacker to read data, even encrypted ones such as data stored in the View State, and even download files such as the web.config file from the target server. (But requests for web.config files cannot be served by IIS, right???) Scott Guthrie explains in his blog how this vulnerability works. Scott also explains how to workaround this issue. Before a patch or security update appears, this is the best tool against the exploit provided by Microsoft.

You say “But I never store sensitive information in the View State!” Well, read on. In the Microsoft TechNet Security Advisory (and even Scott’s blog post), the workaround’s main theme is homogenizing the error page. The TechNet security advisory says “Homogenizing errors is a crucial component to help protect against this attack.” This means turning customErrors to “On” and explicitly specifying the defaultRedirect page. For full details, please read Scott Guthrie’s blog post.

Now, you might say, this is just another over-hyped, exaggerated propaganda by the Microsoft haters. Well you can throw that argument out the window since it is Microsoft itself that is telling its customers about the vulnerability. There is also a Common Vulnerabilities and Exposure entry for this. The CVE entry says it just has a “candidate” status on it right now and may even be “rejected in the future”.  Is that grounds for ignoring it because it’s just a “candidate” CVE entry? Is it really worth ignoring because the probability and severity of the exploit has not been fully established yet? For public-facing sites, I recommend you implement the workaround as soon as possible. The workaround is fairly cheap to implement—just do it! There will be many apps that will be fine and no workarounds would be necessary (their customErrors configuration is already protected against this exploit). But if the detection tool above says “vulnerable” on your site, and the site is public facing, all I can say is “Wow!” should you decide to ignore it.

When Windows 7 came out last week, I decided to go ahead and install it on my laptop. I like what I see so far–everything seems to run faster in Windows 7! Same hardware; the apps just launch faster. For example, SharePoint Designer used to take 5-10 seconds to launch when it was Vista. Now, I can get SharePoint Designer to run in 2 seconds. Visual Studio 2008 used to be 5-10 seconds to launch as well. Now Visual Studio 2008 opens up like I’m opening Internet Explorer! Now, I’ve always ran SharePoint in a Windows Server 2003 virtual machine. And it was decent performance. But now that I’m seeing Windows 7 to be more efficient, I thought, what if I just ran SharePoint (MOSS) in Windows 7, forget about running it in a virtual machine?

I found this walkthrough from Bamboo Solutions on how to install SharePoint on Windows 7. It worked and all I can say is wow! Now, there were two issues that I ran into when I tried to follow the walkthrough. First issue I ran into was is making the boot-strapper launch the MOSS installer. I have the original media from 2007 and no matter how many times I tried to make Bamboo Solution’s setup-helper launch that setup.exe, it wouldn’t launch it. The error message that I got was:

I tried renaming the setup.exe file to SharePoint.exe, thinking maybe, just maybe the setup-helper is file-name dependent. It didn’t work. Finally, I decided to just go ahead and download the trial version of  MOSS (if you have proper license):

• x86 MOSS 2007 Trial
• x64 MOSS 2007 Trial
• x86 WSS 3.0
• x64 WSS 3.0

If you don’t have MOSS license, just download WSS 3.0. If you have MOSS license, you can enter your key during the installation to make the installation permanent. I tried x64 MOSS 2007 trial with the Bamboo helper and it worked.

One more issue I ran into was when I ran the SharePoint Configuration Wizard for the first time. It said that I don’t have IIS installed. Well, I already had IIS running–IIS 7. When I picked the Windows feature to install, I did not select the IIS 6 Management Compatibility:

The moment I turned on IIS 6 Management Compatibility, the SharePoint Configuration Wizard was able to proceed.

I’m very happy with my laptop setup now. I have MOSS running on it and I don’t even need a virtual machine anymore. Do I think it’s risky to install MOSS on my base OS? I don’t think so; I’ve been installing and running SharePoint since 2007 and I have yet to see it mess up the operability of an application or service in Windows. But then again, I’ve always used Windows 2003 Server. Who knows what kind of issue I will run into running MOSS on top of Windows 7.

As much as I recommend you guys trying MOSS/SharePoint on Windows 7, I highly recommend you run the upcoming SharePoint 2010 beta on a virtual machine only! When SharePoint 2010 Beta comes out next month, I will be running that inside a virtual Windows 2008 Server.