ASP.NET Security Vulnerability – A Security Update is Available

This security update resolves a publicly disclosed vulnerability in ASP.NET that we discussed in previous blogs. The vulnerability could allow information disclosure from Web applications. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server.

Call To Action

Apply the security update that addresses the vulnerability on your Web servers and communicate to your customers, urging them to apply this update on their dedicated and virtual servers. The security update downloads locations and FAQ are available on this page. This update fixes all known attack vectors in the vulnerability.

In the near future we will also make this security update available on Windows Update and Windows Server Update Services, once these are ready, we will update.

You can learn more about the solution in the official Microsoft Security Bulletin post and in Scott Guthrie's blog. Furthermore, you and your customers can use a special ASP.NET Forum to ask questions and get help with this security update. If you have problems or questions you can also contact Microsoft Customer Support (including support over the phone with a support engineer).

Thank you,

Microsoft Hosting Team