CIO  |  IT Security & Policy  |  LONI  |  LOUIS  |  UIS  |  UNI  |  USS  |  MDAC  |  Moodle
IT Security & Policy
Zero-day ASP.Net Vulnerability Workaround

Microsoft has release an advisory on a ASP.Net vulnerability.  Scott Guthrie (Corporate Vice President in the Microsoft Developer Division) has posted a FAQ on the ASP.Net vulnerability.  This post includes a workaround for the zero-day vulnerability.  This vulnerability is actively being exploited.

An attacker using this vulnerability can request and download files within an ASP.Net Application like the web.config file (which often contains sensitive data). An attacker exploiting this vulnerability can also decrypt data sent to the client in an encrypted state (like ViewState data within a page).

Resources
Microsoft Security Advisory (2416727):  Vulnerability in ASP.Net Could Allow Information Disclosure
[ScottGu's Blog] Important: ASP.Net Security Vulnerability
[ScottGu's Blog] Frequently Asked Questions about the ASP.Net Security Vulnerability