H.D. Moore, a hacker and senior security analyst for Digital Defense, told attendees of the CanSecWest security conference here that the .Net Framework could nearly eliminate some types of vulnerabilities that plague Microsoft products today, but that the server software is still easy to misconfigure, especially since much of the documentation teaches insecure programming.
"It doesn't make a difference how secure products are initially, but how you program them, that counts," Moore said. "And developers are being told the wrong things to do in a lot of situations."
The hacker presented the results of his analysis of ASP.Net, the Web services portion of the .Net Framework, at the conference Thursday. While he found several vulnerabilities in some components of the framework, his main criticisms fell on the heads of Microsoft's documentation writers.
"Most developer resources are wrong!" he wrote in a slide, adding that each of the five most popular ASP.Net books fails to mention at least one of several common .Net security problems.
In addition, the primary example that programmers will look to in developing .Net Web applications--Microsoft's IBuySpy store Web application--has a Unicode vulnerability and leaves two project files configured so as to be accessible by anyone on the Web, Moore said.
Finally, he added, the Microsoft Developer Network documentation instructs developers to create a file containing people's passwords and places it in a directory accessible from the Web--a definite security no-no.
Microsoft representatives, although not on hand for the presentation, said they would look at the issues.
"The product has been live for nearly four months now," said Mike Kass, product manager for the .Net Framework. "The documentation has been pretty well received by the community. But if there is a problem, we will definitely look at it."
Microsoft has come under scrutiny for the level of security--or lack thereof, some would say--in its software applications. The company, though, has recentlyof taking a more stringent approach to secure its products.
In some ways, Moore's analysis supported Microsoft's claims that .Net will be much more secure than the current Web services infrastructure. "There are a lot more features to lock down Web applications," he said.
However, the learning curve will be steep, he added, and mistakes will harm the security of any Web application.
Getting ahead of itself?
As Microsoft prepares to launch the
first .Net My Services trials, key
details have yet to be figured out.
"They did a pretty good job locking down the default install," he said. "But as soon as you start enabling features, you might be causing (security) problems."
The new software also adds 18 new extensions, he said, some of which may become paths for new vulnerabilities. In addition, the current revision of the .Net Framework has several components that could leak out sensitive information when an error occurs and, in some cases, reveal the path to the file on the server.
Moore advises taking server configuration seriously. Everything a developer does to change the default configuration could lessen security.
"Many features have some serious problems," he suggested in his presentation. "Research an option before making a change."