Microsoft announced that they will release an update tomorrow for ASP.NET. The update will address a vulnerability disclosed by Thai Duong and Juliano Rizzo at ekoparty a Latin American Security Conference. The critical vulnerability allows a remote attacker to extract information from web applications programmed under ASP.NET and in certain circumstances can be used to take control over the affected server.
The current advisory provides a workaround for the problem. It minimizes information leakage through the error reporting system and should be considered a best practice for web applications even without the current attack. Scott’s blog post provides great insight, as does the blog post from the DotNetNuke team on how to implement the workarounds in their environment.
We recommend installing the patch immediately, once it becomes available.It administrators should first focus on web servers that do not have the workarounds implemented.