The much-vaunted security of Microsoft's next-generation Web services platform is good, but the company still has some kinks to iron out, one security consultant said Thursday. H.D. Moore, a hacker and senior security analyst for Digital Defense, told attendees of the CanSecWest security conference here that the .Net Framework could nearly eliminate some types of vulnerabilities that plague Microsoft products today, but that the server software is still easy to misconfigure, especially since much of the documentation teaches insecure programming. "It doesn't make a difference how secure products are initially, but how you program them, that counts," Moore said. "And developers are being told the wrong things to do in a lot of situations."
The hacker presented the results of his analysis of ASP.Net, the Web services portion of the .Net Framework, at the conference Thursday. While he found several vulnerabilities in some components of the framework, his main criticisms fell on the heads of Microsoft's documentation writers. "Most developer resources are wrong!" he wrote in a slide, adding that each of the five most popular ASP.Net books fails to mention at least one of several common .Net security problems.
He gave two potential holes:
News source: ZDNet
View: Hacker exposes holes in .Net
The hacker presented the results of his analysis of ASP.Net, the Web services portion of the .Net Framework, at the conference Thursday. While he found several vulnerabilities in some components of the framework, his main criticisms fell on the heads of Microsoft's documentation writers. "Most developer resources are wrong!" he wrote in a slide, adding that each of the five most popular ASP.Net books fails to mention at least one of several common .Net security problems.
He gave two potential holes:
- The primary example that programmers will look to in developing .Net Web applications--Microsoft's IBuySpy store Web application--has a Unicode vulnerability and leaves two project files configured so as to be accessible by anyone on the Web, Moore said.
- The Microsoft Developer Network documentation instructs developers to create a file containing people's passwords and places it in a directory accessible from the Web - a definite security no-no.
News source: ZDNet View: Hacker exposes holes in .Net
and the email for your viewing pleasure:
Dear Microsoft Beta Tester,
Welcome to the beta release of Microsoft Wireless Home Networking. For this beta program, BetaPlace, Email, and Newsgroup services will be available to you.
BetaPlace
BetaPlace is Microsoft’s technical beta web community where you can:
To access BetaPlace, go to www.betaplace.com. Sign in using your Beta ID and Password listed below. More information regarding BetaPlace will be included in your beta kit.
BetaID:
Password:
Email:
If you need assistance in using your product, please send email to
Newsgroups
Microsoft private newsgroups will be available for product discussion with other beta testers. Private newsgroups are accessed from a dedicated news server and require a User ID and Password before giving you access. To access the newsgroups you will need to configure your newsreader program with the account information listed below. For help on setting up a news reader, please read the attached newsgroups instructions documents. We will not provide product support or bug tracking through the newsgroup. Please use Beta Place to enter bugs, and email if you need assistance.
The discussion newsgroup for this beta is:
Newsgroup Account Name:
Password:
News Server:
Access to this specific program page on BetaPlace and its newsgroups is limited to participants of this beta release. Microsoft will never request that you send your password information to us via email or any other method. We already have this information on file, and any attempt to obtain your password could indicate fraudulent activity and should be reported to us immediately via the email address below. Please do not share this account information beyond the scope of what is allowed under the License Agreement for this beta. In addition, please do not discuss this beta in newsgroups outside of this program, including other Microsoft newsgroups.
Thank you for participating in this beta program. We look forward to your valuable feedback.
Microsoft Wireless Home Networking Team
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.