Office and SharePoint Blog

SharePoint Affected by ASP.NET Vulnerability

The Microsoft SharePoint team blog updated  its Security Advisory 2416728--"Vulnerability in ASP.NET and SharePoint" on 9/22/10, adding this note (bolding is their emphasis):

"We originally stated that SharePoint Server 2007 and Windows SharePoint Services 3.0 did not require the workaround to be applied, however, we have recently discovered through testing that a variant of the issue does affect SharePoint Server 2007 and Windows SharePoint Services 3.0 and also requires extra steps in the workaround for SharePoint Server 2010 (Steps 5-9).  Customers with these versions should refer to the relevant workaround below.  We will continue to keep this post updated with the latest guidance."

The workarounds, Microsoft adds, "do not fix the underlying issue but help to block known attack vectors until an ASP.NET security update is released. ... We recommend that all affected SharePoint customers apply the workaround as soon as possible.  You should apply the workaround to every web front-end in your SharePoint farm."

The full post, with workaround steps, is at the SharePoint Product team's MSDN blog site.

Also, check out Paul Robichaux's good, detailed explanation of what an Oracle Padding Attack is in "Exchange Server and the Oracle Padding Attack."

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish