Symantec Security Threatcon Status for 2010-10-05

Microsoft ASP.NET is affected by a padding oracle vulnerability. Several exploit tools are available for this class of vulnerability and Microsoft reports that SharePoint and Exchange (and all applications that rely on ASP.NET) are affected by this vulnerability. This issue is being exploited in the wild in limited attacks and in some cases can result in a complete system compromise.

Update (September 28, 2010): Microsoft has released security advisory MS10-070 and patches for this issue. Customers are advised to review and install the patch as soon as possible. Workarounds are also available; however some reports suggest that they do not protect against all timing attacks.

Further information is available in the following resources.

Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)
http://www.microsoft.com/technet/security/bulletin/ms10-070.mspx

Microsoft Security Advisory (2416728)
Vulnerability in ASP.NET Could Allow Information Disclosure
https://www.microsoft.com/technet/security/advisory/2416728.mspx

Security Advisory 2416728 Released
http://blogs.technet.com/b/msrc/archive/2010/09/17/security-advisory-2416728-released.aspx

Understanding the ASP.NET Vulnerability
http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx

Out of Band Release to Address Microsoft Security Advisory 2416728
http://blogs.technet.com/b/msrc/archive/2010/09/27/out-of-band-release-to-address-microsoft-security-advisory-2416728.aspx

Important: ASP.NET Security Vulnerability
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

Frequently Asked Questions about the ASP.NET Security Vulnerability
http://weblogs.asp.net/scottgu/archive/2010/09/20/frequently-asked-questions-about-the-asp-net-security-vulnerability.aspx