Today we released Security Advisory 2416728 describing a publicly disclosed vulnerability in ASP.NET that affects all versions of the .NET Framework. At this time we are not aware of any attacks using this vulnerability and we encourage customers to review the advisory for mitigations and workarounds. Our Security Research & Defense team has written a blog post to explain how the workarounds work and have provided a script to help administrators determine if they have ASP.NET applications in vulnerable configurations.
We are continuing to investigate this issue and will update customers with new information as it becomes available as well as the MSRC blog. We are also working closely with our Microsoft Active Protections Program (MAPP) to help our partners build protections when and where possible.
We continue to encourage security researchers to coordinate vulnerability disclosure with software vendors. We believe public disclosure before a comprehensive update can be produced only leads to customer risk through criminal activity.
Group Manager, Response Communications