Boletín de Seguridad 2416728: Detectada una vulnerabilidad de ASP.NET que afecta a WSS/MOSS

El blog de producto de sharepoint ha publicado una alerta de seguridad, que recomienda solventar tan pronto como sea posible una vulnerabilidad recientemente detectada, que afecta a los entornos sharepoint.

Esta es la nota publicada en blog de producto de Sharepoint donde se dan las instrucciones paso a paso para aplicar el correctivo:

 “(…)  We originally stated that SharePoint Server 2007 and Windows SharePoint Services 3.0 did not require the workaround to be applied, however, we have recently discovered through testing that a variant of the issue does affect SharePoint Server 2007 and Windows SharePoint Services 3.0 and also requires extra steps in the workaround for SharePoint Server 2010 (Steps 5-9).  Customers with these versions should refer to the relevant workaround below.  We will continue to keep this post updated with the latest guidance.

We recently released a Microsoft Security Advisory for a vulnerability affecting ASP.NET.  This post documents recommended workarounds for the following SharePoint products:

·        SharePoint 2010

·        SharePoint Foundation 2010

·        Microsoft Office SharePoint Server 2007

·        Windows SharePoint Services 3.0

·        Windows SharePoint Services 2.0

A workaround is not necessary for SharePoint Portal Server 2003. 

The workarounds for the affected versions of SharePoint and Windows SharePoint Services listed above are temporary measures that do not fix the underlying issue but help to block known attack vectors until an ASP.NET security update is released.  We will provide instructions on how to revert the workarounds when the security update is released.

We recommend that all affected SharePoint customers apply the workaround as soon as possible.  You should apply the workaround to every web front-end in your SharePoint farm."

El día de ayer fue publicado en Microsoft un boletín informando del fix para resolver el problema

http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx

Más información en:

Microsoft Sharepoint Team Blog

http://blogs.msdn.com/b/sharepoint/archive/2010/09/21/security-advisory-2416728-vulnerability-in-asp-net-and-sharepoint.aspx

Blog de Scott Guthrie (Vice-Presidente Microsoft Developer Division)

http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

KB 958847: Cumulative update packages for the 2007 Microsoft Office core suite applications and for 2007 Microsoft Office servers: October 28, 2008

The Packages Cumulative Update for de 2008 October Contain the Latest hotfixes for the 2007 Office Core Suite Applications and Servers. We recommend that you Test hotfixes Before You deploy them in a Environment Production. Because the builds are Cumulative, Each New Release Fix CONTAINS all the Hotfixes and all the Security Fixes that were Included with the 2007 Previous Suites Office Fix Release. We recommend that you consider Applying the most Recent Release Fix that CONTAINS THE hotfix That You Need.

http://support.microsoft.com/kb/958847

Errores en el EVENT LOG de Windows 2003 con MOSS 2007: Event ID 6398, 6482, 7076 y/o IIS abre en blanco

Si el servidor de MOSS experimentan alguno de estos problemas:

• Al abrir IIS 6.0 Server Manager Snapin aparece en blanco
• Errores en el Application Log de Windows 2003:

Event ID: 6398

El método Execute de la definición de trabajo Microsoft.Office.Server.Administration.ApplicationServerAdministrationServiceJob (ID xxx-xxxxx-xxxxxx) lanzó una excepción.

A continuación se incluye más información.

Attempted to read or write protected memory. This is often an indication that other memory is corrupt.

Event ID: 6482

No se pudo ejecutar el trabajo de administración del servidor de aplicaciones para la instancia de servicio Microsoft.Office.Server.Search.Administration.SearchAdminSharedWebServiceInstance (xxxx-xxxx-xxx-xxx).

Motivo: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.

Detalles de soporte técnico:System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt. at System.DirectoryServices.Interop.UnsafeNativeMethods.IntADsOpenObject(String path, String userName, String password, Int32 flags, Guid& iid, Object& ppObject) at System.DirectoryServices.Interop.UnsafeNativeMethods.ADsOpenObject(String path, String userName, String password, Int32 flags, Guid& iid, Object& ppObject) at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_IsContainer() at System.DirectoryServices.DirectoryEntries.CheckIsContainer() at System.DirectoryServices.DirectoryEntries.Find(String name, String schemaClassName) at Microsoft.SharePoint.Metabase.MetabaseObjectCollection`1.Find(String name) at Microsoft.SharePoint.Metabase.MetabaseObjectCollection`1.get_Item(String name) at Microsoft.SharePoint.Administration.SPProvisioningAssistant.ProvisionIisApplicationPool(String name, ApplicationPoolIdentityType identityType, String userName, SecureString password, TimeSpan idleTimeout, TimeSpan periodicRestartTime) at Microsoft.SharePoint.Administration.SPMetabaseManager.ProvisionIisApplicationPool(String name, Int32 identityType, String userName, SecureString password, TimeSpan idleTimeout, TimeSpan periodicRestartTime) at Microsoft.Office.Server.Administration.SharedWebServiceInstance.Synchronize() at Microsoft.Office.Server.Administration.ApplicationServerJob.ProvisionLocalSharedServiceInstances(Boolean isAdministrationServiceJob)

Event ID : 7076

Excepción al ejecutar el trabajo del administrador del servidor de aplicaciones.

Mensaje: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.

Detalles de soporte técnico:System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt. at System.DirectoryServices.Interop.UnsafeNativeMethods.IntADsOpenObject(String path, String userName, String password, Int32 flags, Guid& iid, Object& ppObject) at System.DirectoryServices.Interop.UnsafeNativeMethods.ADsOpenObject(String path, String userName, String password, Int32 flags, Guid& iid, Object& ppObject) at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_IsContainer() at System.DirectoryServices.DirectoryEntries.CheckIsContainer() at System.DirectoryServices.DirectoryEntries.Find(String name, String schemaClassName) at Microsoft.SharePoint.Metabase.MetabaseObjectCollection`1.Find(String name) at Microsoft.SharePoint.Metabase.MetabaseObjectCollection`1.get_Item(String name) at Microsoft.SharePoint.Administration.SPProvisioningAssistant.ProvisionIisApplicationPool(String name, ApplicationPoolIdentityType identityType, String userName, SecureString password, TimeSpan idleTimeout, TimeSpan periodicRestartTime) at Microsoft.SharePoint.Administration.SPMetabaseManager.ProvisionIisApplicationPool(String name, Int32 identityType, String userName, SecureString password, TimeSpan idleTimeout, TimeSpan periodicRestartTime) at Microsoft.Office.Server.Administration.SharedWebServiceInstance.CreateSharedWebServiceApplicationPool(SharedResourceProvider srp) at Microsoft.Office.Server.Administration.ApplicationServerJob.ProvisionLocalSharedServiceInstances(Boolean isAdministrationServiceJob)

Revisar este documento en la Knowledge Base de Microsoft: KB 946517 .

Existe un hotfix liberado en agosto 2008 para resolver un problema del proveedor ADSI de IIS 6.0

Carpetas que deben ser excluídas de la exploración del software antivirus en WSS 3.0 o MOSS

Cuando se utiliza ciertos programas de software antivirus en Windows SharePoint Service 3.0 o SharePoint Server 2007, es importante excluir determinadas carpetas de éste rastreo del antivirus. Si no se excluyen estas carpetas, se pueden experimentar muchos problemas inesperados : desde recibir mensajes de error de "Acceso denegado" cuando se cargan los archivos hasta la interrupción del servicio.

Este artículo incluye información acerca de cuáles son las carpetas que deben ser excluidas de la exploración del antivirus en los servidores que tienen instalado Microsoft Windows SharePoint Services 3.0 o Microsoft Office SharePoint Server 2007.

(Español)
http://support.microsoft.com/kb/952167/es

(Inglés)
http://support.microsoft.com/kb/952167/en-us

Problemas con Audiencias y Web Parts en WSS/MOSS

Síntomas:

Si a una web part dada en WSS/MOSS le es configurada una audiencia que consiste en grupos de Sharepoint, que a su vez está conformada por grupos de directorio activo, la web part no le es mostrada a los usuarios que pertenecen a dicho grupo.

Causas:

Este comportamiento ocurre debido a que únicamente los usuarios individuales que han sido asginados al grupo de SharePoint son reconocidos como audiencia. Solo estos tendrán acceso al Web Part. Sin embargo, si es gregado un grupo de Active Directory, las cuentos de usuario pertenecientes al grupo no son reconocidas como parte de dicha audiencia. Por lo tanto, las cuentas de usuario que residen en el grupo que a su vez han sido agregadas al grupo de SharePoint group no podrán acceder alWeb Part.

Solución:

Aplicar el hot fix que puede ser descargado desde:
http://support.microsoft.com/kb/942819/

Aplicar el hot fix post service pack 1 documentado en la Knowledge Base de microsoft bajo el número 948681 (este hot fix está incluido a partir del Infrastructure Update (IU), de julio 2008 ... Si no ha aplicado el IU, se recomienda aplicarlo en lugar de este hot fix, ya que adicionalmente a este problema resuelve otra cantidad de problemas ya detectados y solucionados.

Referencia:

http://support.microsoft.com/default.aspx/kb/948681

Infraestructure Updates y Despliegue de Contenido

Fueron liberadas actualizaciones muy importantes para la plataforma Office Server 2007, estas correciones, denominadas Content Deployment and Infraestructure Updates, mejoran algunos de los puntos y entre los mas importantes estan:

· Workflow
· Business Data Catalog
· Inter-farm server authentication with Kerberos (ITPro blog)
· Federated search
· A unified administration dashboard

Reparación incremental de bugs:

· Incremental import can fail if a feature with a custom content type has been reactivated on the destination.
· Unpublished pages do not get unpublished on the destination.
· Reinheriting permissions on the source does not propagate incrementally.
· Deleting a permission level on the source causes a "Permission level cannot be found." exception during incremental import.
· Incremental behavior with the Recycle Bin improved. Incremental import fails with a "FatalError: You cannot perform this action on a checked out document." exception.
· "Violation of PRIMARY KEY constraint" error during export.
· Document "Title" field does not get deployed by incremental deployment in some cases.
· In some cases, making permissions changes on the source or destination will result in a "The specified name is already in use." error.
· Deleting or renaming an item then creating one with the same name causes incremental deployment to fail.
· Incremental deployment fails when pages have independent permission settings.
· Deleting a file and folder can cause incremental deployment to fail in some cases.

Otros bugs corregidos:

· Removing a User from a group does not propagate to the destination during incremental deployment.
· Some source web settings related to search are not propagated to the destination.
· Content Deployment can time out incorrectly on large deployment jobs.
· Miscellaneous SQL deadlocks.
· Quick deployment jobs behave incorrectly when Variations is used.
· Quick deployment fails when pages are Quick Deployed while the Quick Deploy job is running.
· Running One-time jobs manually can fail.
· In some cases, a content deployment job can get stuck in a "Preparing" state forever.
· Deployment sometimes unghosts items that are ghosted on the source.
· Custom master page settings on the source are not propagated to the destination during deployment.
· Content deployment fails when compression is disabled.

Descargas :

Infrastructure Update for Microsoft Office Servers (KB951297) - x86
Infrastructure Update for Microsoft Office Servers (KB951297) - x64
Infrastructure Update for Windows SharePoint Services 3.0 (KB951695) - x86
Infrastructure Update for Windows SharePoint Services 3.0 (KB951695) - x64
Infrastructure Update for Microsoft Office Project 2007 (KB951547) - x86

Instrucciones :

Deploy Software Updates for Windows SharePoint Services 3.0 Deploy Software Updates for Office SharePoint Server 2007 - Aplica pa Project Server 2007, SharePoint Server 2007, Search Server 2008 y Search Server 2008 Express.

Install the Infrastructure Update for Microsoft Office Servers (Office SharePoint Server 2007)

Install the Infrastructure Update for Microsoft Office Servers (Search Server 2008)

Si necesita mayor detalle de los problemas manejados de despliegue de contenido en el Infrastructure Update, visite en Microsoft:

WSS: http://support.microsoft.com/kb/952698/
MOSS: http://support.microsoft.com/kb/952704/

Cómo cambiar cuentas de servicio y contraseñas de cuentas de servicio en SharePoint Server 2007 y en Windows SharePoint Services 3.0

Uno de los problemas típicos de operaciones está muy ligado al tema de la seguridad y las políticas de cambios de frecuentes de las contraseñas de las cuentas de usuario, y en muchos casos, las cuentas de servicio utilizadas por las aplicaciones no escapan de su alcance.

Las mejoras prácticas de MOSS sugieren emplear al menos 7 cuentas administrativas para el tema de independencia de los servicios, etc. que es tema de otra discusión. Simplemente cambiando el password de dichas cuentas se afectará el servicio si no se toman las previsiones identificadas para notificar a MOSS de dicho cambio, como se describen en el siguiente artículo de Microsoft:

http://support.microsoft.com/kb/934838/es