Security Bulletins

Vulnerability in ASP.NET

Background

On September 17, 2010, Microsoft released Security Advisory 2416728 which stated Microsoft was investigating public reports of a vulnerability in ASP.NET. On September 28, 2010 Microsoft released an out-of-band (outside the normal patch schedule) bulletin, Security Bulletin MS10-070 and associated patch to address the issue.

Impact

An attacker that successfully exploits this vulnerability against an affected version of ASP.NET is able to view data encrypted by the server, including state data. If the server is running Microsoft .NET Framework 3.5 Service Pack 1 or higher the attacker may also be able to retrieve any file within the application. This would include configuration files that may store sensitive attributes such as web.config. Through the information disclosure attack, an attacker may have enough information to compromise the integrity of the web application or the host system.

Platforms Affected

The following versions of the .NET Framework are affected when installed on t