The much-vaunted security of Microsoft's next-generation Web services platform is good, but the company still has some kinks to iron out, one security consultant said Thursday. H.D. Moore, a hacker and senior security analyst for Digital Defense, told attendees of the CanSecWest security conference here that the .Net Framework could nearly eliminate some types of vulnerabilities that plague Microsoft products today, but that the server software is still easy to misconfigure, especially since much of the documentation teaches insecure programming. "It doesn't make a difference how secure products are initially, but how you program them, that counts," Moore said. "And developers are being told the wrong things to do in a lot of situations."
The hacker presented the results of his analysis of ASP.Net, the Web services portion of the .Net Framework, at the conference Thursday. While he found several vulnerabilities in some components of the framework, his main criticisms fell on the heads of Microsoft's documentation writers. "Most developer resources are wrong!" he wrote in a slide, adding that each of the five most popular ASP.Net books fails to mention at least one of several common .Net security problems.
He gave two potential holes:
- The primary example that programmers will look to in developing .Net Web applications--Microsoft's IBuySpy store Web application--has a Unicode vulnerability and leaves two project files configured so as to be accessible by anyone on the Web, Moore said.
- The Microsoft Developer Network documentation instructs developers to create a file containing people's passwords and places it in a directory accessible from the Web - a definite security no-no.
News source: ZDNet