14 DAY TRIAL // Microsoft is urging customers, developers and partners to patch their Cloud applications and services by using a refresh provided for the Windows Azure software development kit.
The Redmond company is not saying the word “vulnerability” using a more ambiguous “issue” term, but it has confirmed coming across a security problem which affects projects built by leveraging ASP.NET and the new "Full IIS" feature of SDK v1.3.
According to the Redmond company in addition to taking advantage of the new “Full IIS” feature, ASP.NET apps and services need to also have a Web Role deployed in order to be impacted by the security issue discovered.
“"Web Role" is defined as a single HTTP endpoint and a single HTTPS endpoint for external clients. This is not to be confused with the "Worker Role," which is defined as up to five external endpoints using HTTP, HTTPS or TCP. Each external endpoint defined for a role must listen on a unique port,” a member of the Windows Azure team stated.
The software giant did mention that the update to its Cloud SDK comes as a way to ensure that customers and their applications are secure, and that the problem was identified through the Security Development Lifecycle (SDL) process.
“In particular, this affects web sites and services that use cookies to maintain state information either within a session or between sessions (if interactions in one session can affect what happens in a subsequent session).
“These cookies are cryptographically protected so that clients can see that there is state information being passed but cannot see the contents of that state information and cannot change it. In the case of vulnerable Web Roles, it may be possible for clients to determine the contents of the state information (though the client could still not change it).
“If the web site depended on the client not being able to see the contents, its security could be compromised,” the Windows Azure team representative added.
In response, Microsoft is providing customers with the Windows Azure SDK and Windows Azure Tools for Microsoft Visual Studio (November 2010) refresh.
Developers need to download the updated SDK, upgrade the previous version, and re-package their projects. After repackaging is complete they will also have to upgrade or re-deploy their service in the Cloud.
“This refresh of the Windows Azure November 2010 SDK (SDK 1.3) resolves an issue that affects applications developed using SDK v1.3. We are encouraging affected customers to install the refresh of the SDK and redeploy their application(s),” Microsoft added.
Windows Azure SDK and Windows Azure Tools for Microsoft Visual Studio (November 2010) Refresh is available for download here.