Microsoft fixes cookie security bug in Windows Azure

The bug affects Web sites and services that use cookies to maintain a user's state information between browser sessions

Microsoft has refreshed the Windows Azure software development kit to fix a bug that can expose cookie information to clients who have built applications on top of the cloud platform.

CUSTOMER STORY: Early adopter spells out Microsoft Azure's strengths and weaknesses

The bug affects Web sites and services that use cookies to maintain a user's state information between browser sessions, and lets Microsoft customers running Web sites on Azure see the contents of cookie information generated by Web site users. If the process worked correctly, the cookies' cryptographic protection would ensure that "clients can see that there is state information being passed but cannot see the contents of that state information and cannot change it," Microsoft said. But the security hole exposes the cookie information.

"This issue affects applications developed using ASP.NET and using the new 'Full IIS' feature of SDK v1.3 that have a Web Role deployed," Microsoft said. "In the case of vulnerable Web Roles, it may be possible for clients to determine the contents of the state information (though the client could still not change it). If the Web site depended on the client not being able to see the contents, its security could be compromised."

Affected Azure customers should download the refresh of the SDK, redeploy their applications and verify that the fix is working. Instructions are available on the Windows Azure blog.

In addition to the Azure fix, Microsoft is scheduled to patch 22 bugs next week as part of the monthly Patch Tuesday. All versions of Windows will receive multiple critical patches, and Internet Explorer will also be fixed up.

Separately from these security announcements, Microsoft said that it is offering "extra small" compute instances in Windows Azure as part of a new public beta that will give developers a cheaper entrance into cloud computing.

Extra small Windows Azure compute instances cost 5 cents an hour, whereas the four larger sizes range from 12 cents to 96 cents. The new instance type offers 1GHz of CPU, 768MB of memory, 20GB storage, and lower I/O performance than the more robust instances.

Even the second-smallest instances offer 1.6GHz of CPU, 1.75GB memory and 225GB storage, and better I/O performance, but Microsoft said it has received "a lot of interest" in the extra small instances since opening a private beta last October.

"This smaller instance provides developers with a cost-effective training and development environment," Microsoft said. "Developers can also use the 'Extra Small' instance to prototype cloud solutions at a lower cost," and the new size is "more affordable for developers interested in running smaller applications on the platform."

The public beta was announced Thursday and is open to all customers. Windows Azure extra small instances are similar to the "micro" instance types offered by rival Amazon's Elastic Compute Cloud.

With one year of production under its belt, Windows Azure has 31,000 active subscribers and is hosting 5,000 applications.

Follow Jon Brodkin on Twitter:

Read more about software in Network World's Software section.

Tags cloud computingMicrosoftinternetsoftwareData Centerhardware systems

Show Comments