Executive Summary
Microsoft is investigating a new public report of a vulnerability in ASP.NET. An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config. This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server. Microsoft is aware of limited, active attacks at this time.We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
For more information, you can read
http://www.microsoft.com/technet/security/advisory/2416728.mspx
After this incident was known, the first impression was that it would not effect MOSS 2007 and MOSS 2010. But that is not true. If you are using MOSS 2007 or 2010, then you have a work around as described in the blog @ http://blogs.msdn.com/b/sharepoint/archive/2010/09/21/security-advisory-2416728-vulnerability-in-asp-net-and-sharepoint.aspx
Please remember that this is only a work around and wait for the ASP.NET security patch release from Microsoft.
No comments:
Post a Comment