09-24-2010 11:28 AM - edited 09-24-2010 01:31 PM
Customers using ASP.NET in Public-Facing Servcies are advised to read Microsoft Security Advisory (2416728) and to apply the Workarounds immediately. Several Exploit Tools are available for this Class of Vulnerability and Microsoft reports that SharePoint and Exchange - and all applications that rely on ASP.NET - are affected by this Vulnerability. This issue is being exploited in-the-Wild in Limited Attacks and in some cases can result in a complete system compromise. Further information is available in the below resources.
Microsoft Security Advisory (2416728):
Vulnerability in ASP.NET Could Allow Information Disclosure:
Security Advisory 2416728 Released:
Understanding the ASP.NET Vulnerability:
Important: ASP.NET Security Vulnerability:
Frequently Asked Questions about the ASP.NET Security Vulnerability:
[edit: Fixed posting error.]
Solved! Go to Solution.
09-27-2010 03:16 PM
Microsoft is planning to release an out of cycle update to fix this problem on Tues. Sept 28th.
Please see this article for further information. Thanks.
Success always occurs in private and failure in full view.
09-28-2010 12:33 PM - edited 09-28-2010 12:34 PM
Microsoft has released Security Advisory M.S.10-070 and Patches for this Issue. Customers are advised to re-view and Install the Patch as soon as possible. Workarounds are also available; however some Reports suggest that they do not protect against all Timing Attacks. Please see Microsoft "Patch Tuesday" for Patch Details.