Hacker finds fault in .Net security
Published: 03 May 2002 08:49 BST
The much-vaunted security of Microsoft's next-generation Web-services platform is good, but the company still has to iron out some kinks, one security consultant said on Thursday.
H.D. Moore, a hacker and senior security analyst for Digital Defense, told attendees of the CanSecWest security conference in Vancouver, British Columbia, that the .Net Framework could nearly eliminate some types of vulnerabilities that plague Microsoft products today, but that the server software is still easy to misconfigure, especially since much of the documentation teaches insecure programming.
"It doesn't make a difference how secure products are initially, but how you program them that counts," Moore said. "And developers are being told the wrong things to do in a lot of situations."
The hacker presented the results of his analysis of ASP.Net, the Web services portion of the .Net Framework, at the conference Thursday. While he found several vulnerabilities in some components of the framework, his main criticisms fell on the heads of Microsoft's documentation writers.
"Most developer resources are wrong!" he wrote in a slide, adding that of the five most popular ASP.Net books, each failed to mention at least one of several common .Net security problems.
In addition, the primary example that programmers will look to in developing .NET Web applications -- Microsoft's IBuySpy store Web application -- has a Unicode vulnerability and leaves two project files configured so as to be accessible by anyone on the Web, Moore said.
And finally, he added, the Microsoft Developer Network documentation instructs developers to create a file containing users' passwords and places it in a directory accessible from the Web, a definite security no-no.
Microsoft representatives, although not present for the presentation, said they would look at the issues.
"The product has been live for nearly four months now," said Mike Kass, product manager for the .Net Framework. "The documentation has been pretty well received by the community. But if there is a problem, we will definitely look at it."
In some ways, Moore's analysis supported Microsoft's claims that .Net will be much more secure than the current Web service infrastructure. "There are a lot more features to lock down Web applications," he said.
However, the learning curve will be steep, he added, and mistakes will harm the security of any Web application.
For example, a developer who installs .Net on a computer with Microsoft's Web software, Internet Information Server, will find the default configuration -- a more secure configuration than in the past -- will break many services that the Web server may offer. Turning the services on in a secure way may not be easy, he said.
"They did a pretty good job locking down the default install," he said. "But as soon as you start enabling features, you might be causing (security) problems."
The new software also adds 18 new extensions, he said, some which may become paths for new vulnerabilities. In addition, the current revision of the .Net Framework has several components that could leak out sensitive information when an error occurs and in some cases, reveal the path to the file on the server.
Moore's advises taking server configuration seriously. Everything a developer does to change the default configuration could lessen security.
"Many features have some serious problems," he suggested in his presentation. "Research an option before making a change."
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
Did you find this article useful?
22 out of 75 people found this useful
- Share this article:
