Earlier this week, we wrote about a hotfix that Microsoft had prepared to protect Microsoft Dynamics CRM deployments against the recently discovered ASP.NET vulnerability. Microsoft has released a more comprehensive ASP.NET patch that should be applied to more effectively secure your server.
Now that the comprehensive patch is available, you should no longer need the specific CRM hotfix. Customers should follow these guidelines when installing the new patch:
If you have not already applied the CRM patch, then you can directly install the ASP.NET patch, available here.
If you have already applied the CRM patch, first install the ASP.NET patch and then uninstall the CRM patch. After uninstalling the CRM patch, verify the following:
If using CRM 4.0, then the following line should NOT exist in web.config, under any section (unless you have enabled customerrors specifically for your deployment): <customErrors mode=”On” defaultRedirect=”~/error2.aspx”>
You should not have error2.aspx under webroot folder ( for your CRM application) , under help folder, and under webroot\tools\importwizard folder.
Today we welcome our guest blogger, Jacob Cynamon-Murphy to discuss the recent ASP.NET security advisory.
On Friday, September 17, Microsoft released a security advisory about a vulnerability in ASP.NET that affects all versions of ASP.NET on virtually every currently supported Windows operating system. The vulnerability exposes the possibility of an attacker downloading files within your ASP.NET application or decrypting ViewState and other encrypted data. We believe that the greatest risk is to those servers that are publicly accessible by being published through a firewall or reverse proxy server. We are advising our clients to review the guidance that Scott Guthrie posted on his blog to evaluate your web servers and identify any applications that may be at risk.
The good news is that the Microsoft CRM team has just released a hotfix for this. You can get the patch at http://support.microsoft.com/kb/2421203/en-us. For CRM 4.0 installations, you will need to have Update Rollup 13 installed.
For your custom web.config pages, the fix is a simple, albeit slightly technical. For each ASP.NET application you host on your server, you simply need to alter how the application handles custom errors. Scott Guthrie's blog post about the vulnerability explains the how the vulnerability works and how to protect your applications for every version of ASP.NET from v1.0 to v4.0. The fix essentially hides any useful information an attacker could access from the standard error pages, thereby preventing them from exploiting this vulnerability. Microsoft has also noted that they are working on a more comprehensive fix that could likely be applied at the operating system level to protect all of your applications.
We have started to release our #MSDYNCRM 2011 videos on our YouTube channel. These videos are intended to provide quick overviews of new product functionality. We have created a total of 10 videos and they are being posted on a daily basis. The final video will be posted on Friday, October 1st.
As we close in on the official RTW launch of #MSDYNCRM 2011 we thought it would be a good idea to put together a series of new feature videos demonstrating the power of the new platform. Starting on Monday, September 20th, we will begin publishing our first of 10 video clips that highlight some of these new features. We will publish one new video each day for 2 weeks straight. The video highlights will include:
Conditional Formatting in Outlook
Form Enhancements part 1(Embedded Grids, SharePoint Integration)
Form Enhancements part 2(Role-based forms, Form Navigation)
The videos will be posted on YouTube under our Sonoma Partners channel. Let us know what you think!
We recently released a very cool integration between Microsoft Word and Microsoft Dynamics CRM, and we are really excited to share information about it. In summary, our proprietary Word-to-CRM integration allows users to:
Build Word document templates that can load data from Microsoft Dynamics CRM
Once the data is loaded, users can edit their data in Microsoft Word and then save their changes back to Microsoft Dynamics CRM
This Word-to-CRM integration allows users to take advantage of the full word processing capabilities of Word, but still allow them to store and save the data back into CRM. We use this tool internally for our project charter, specifications, etc. but we also have clients using it for documents like leases, approval letters, quotes, legal notifications, etc. This tool fits in perfectly with many different XRM development stories, and it can support both on-premise AND Microsoft Dynamics CRM Online deployments (of course).
To help show you how the Word-to-CRM integration works, we put together a short 3 minute screencast demo:
Please contact us if you want to learn more about this Word-to-CRM integration!