Not what you were looking for? Ask our experts!
Reply
Rootkit Eradicator
Posts: 5,357
Registered: ‎05-30-2008
Accepted Solution

Security Alert: Vulnerability in ASP.NET Could Allow Information Disclosure

[ Edited ]

Customers using ASP.NET in Public-Facing Servcies are advised to read Microsoft Security Advisory (2416728) and to apply the Workarounds immediately. Several Exploit Tools are available for this Class of Vulnerability and Microsoft reports that SharePoint and Exchange - and all applications that rely on ASP.NET - are affected by this Vulnerability. This issue is being exploited in-the-Wild in Limited Attacks and in some cases can result in a complete system compromise. Further information is available in the below resources. 

 

Microsoft Security Advisory (2416728):
Vulnerability in ASP.NET Could Allow Information Disclosure:
https://www.microsoft.com/technet/security/advisory/2416728.mspx.

Security Advisory 2416728 Released:
http://blogs.technet.com/b/msrc/archive/2010/09/17/security-advisory-2416728-released.aspx.

 

Understanding the ASP.NET Vulnerability:
http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx.

Important: ASP.NET Security Vulnerability:
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx.

Frequently Asked Questions about the ASP.NET Security Vulnerability:
http://weblogs.asp.net/scottgu/archive/2010/09/20/frequently-asked-questions-about-the-asp-net-secur....

 

 

[edit: Fixed posting error.]     

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
floplot
Posts: 10,576
Topics: 215
Kudos: 2,051
Solutions: 365
Registered: ‎04-11-2009

Re: Security Alert: Vulnerability in ASP.NET Could Allow Information Disclosure

Hello All

 

Microsoft is planning to release an out of cycle update to fix this problem on Tues. Sept 28th.

 

Please see this article for further information. Thanks.

 

 

http://www.zdnet.com/blog/security/malware-attacks-force-ms-to-ship-emergency-aspnet-patch/7385?tag=...

Success always occurs in private and failure in full view.




Rootkit Eradicator
Posts: 5,357
Registered: ‎05-30-2008

Re: Security Alert: Vulnerability in ASP.NET Could Allow Information Disclosure

[ Edited ]

Microsoft has released Security Advisory M.S.10-070 and Patches for this Issue. Customers are advised to re-view and Install the Patch as soon as possible. Workarounds are also available; however some Reports suggest that they do not protect against all Timing Attacks.  Please see Microsoft "Patch Tuesday" for Patch Details.

 

 

 

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]