NEWS FROM THE LAB - Wednesday, September 29, 2010

Patch for ASP.net Information Disclosure Vulnerability Released Posted by Alia @ 08:11 GMT

Microsoft has released an out-of-band security bulletin (MS10-070), for the ASP.NET "information disclosure" vulnerability.

The short version of the vulnerability is that exploiting it generates unintended error messages containing information that an attacker may be able to use to view or compromise data.

According to the bulletin, any applications running on the ASP.net platform are vulnerable. It also indicates Microsoft is aware of current, limited attacks against the vulnerability.

SANS raised their InfoCon Alert from Green to Yellow for this vulnerability, to "raise awareness for this problem and patch." The notice on the SANS blog also links to a much more detailed explanation of the attack.

For more info, you can read our Vulnerability Report on it, or better yet, go straight to the Microsoft site and get yourself the updates (MS10-070 Security Bulletin).