TFS Security updates

Brian Harry

On Wednesday, we released a roll up of fixes for security vulnerabilities for several versions of Team Foundation Server. There are no new features in this update. Most of the vulnerabilities are related to cross site scripting (XSS), some of which were customer reported. The others include an improperly encoded API, a service endpoint editing experience which exposes a previously configured password, and a regex denial of service vulnerability in our web portal. We recommend customers install these updates. These fixes are included in the recently released Team Foundation Server 2018 Update 1.  The release on Wednesday was for older versions and for customers who are not yet ready to update to the TFS 2018. Team Foundation Server 2015 Update 4.1:

• Release Notes
• TFS Server ISO
• TFS Server web install
• TFS Express ISO
• TFS Express web install

Team Foundation Server 2017.0.1:

• Release Notes
• TFS Server ISO
• TFS Server web install
• TFS Express ISO
• TFS Express web install

Team Foundation Server 2017 Update 3.1:

• Release Notes
• TFS Server ISO
• TFS Server web install
• TFS Express ISO
• TFS Express web install

We take all security vulnerabilities very seriously and go to great lengths to protect our customers.  The worst kind of security vulnerabilities you can have are those that allow an external, unauthenticated attacker access to or control over a system.  Fortunately, none of these are of that nature.  All of them require an authenticated user who has been granted permissions to your TFS server.  They all would require a hostile or unlikely accidental action by someone on your team.  However, out of an abundance of caution, we are releasing fixes and we encourage you to install the update.  All of these fixes have, of course, already been applied to our cloud hosted offering – VSTS.

As I mentioned above, some of the vulnerabilities were customer reported.  Although we do extensive security testing ourselves, like all bugs, it’s possible for us to miss something.  From time to time, some of our customers (particularly larger enterprises) do their own security testing of both TFS and VSTS and report their findings.  In most cases they don’t find anything.  However, recently, one of our customers did some very detailed testing and they found a few XSS issues.  We’re grateful to our customers who invest the effort to ensure our product is as secure as possible and we’re committed to fixing any significant issues they find.

Going forward, to avoid future XSS vulnerabilities slipping through our testing, we are adopting Content Security Policy to broadly mitigate XSS issues

Thank you, Brian

Brian Harry Corporate Vice President, Cloud Developer Services

Follow