|« View all Symantec Security Threatcon Articles
Symantec Security Threatcon Status for 2010-10-06
Microsoft ASP.NET is affected by a padding oracle vulnerability. Several exploit tools are available for this class of vulnerability and Microsoft reports that SharePoint and Exchange (and all applications that rely on ASP.NET) are affected by this vulnerability. This issue is being exploited in the wild in limited attacks and in some cases can result in a complete system compromise.
Update (September 28, 2010): Microsoft has released security advisory MS10-070 and patches for this issue. Customers are advised to review and install the patch as soon as possible. Workarounds are also available; however some reports suggest that they do not protect against all timing attacks.
Further information is available in the following resources.
Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)
Microsoft Security Advisory (2416728)
Vulnerability in ASP.NET Could Allow Information Disclosure
Security Advisory 2416728 Released
Understanding the ASP.NET Vulnerability
Out of Band Release to Address Microsoft Security Advisory 2416728
Important: ASP.NET Security Vulnerability
Frequently Asked Questions about the ASP.NET Security Vulnerability