Emergency patch for ASP.NET vulnerability on its way
This evening (Tuesday) Microsoft plans to release an unscheduled patch to correct the bug in ASP.NET's implementation of cryptographic functions. Initially, the company plans to make the patch available from its download centre only, which will allow administrators to install it on their servers quickly. This will later be followed by distribution via the automatic update function.
The vulnerability can be remotely exploited to read specific ViewState values and cookies and to download files from a server without possessing the necessary authority. The Padding Oracle Exploitation Tool (Poet) is able to take advantage of this kind of vulnerability. Affected products include Microsoft SharePoint 2010, SharePoint Foundation 2010, Microsoft Office SharePoint Server 2007, Windows SharePoint Services 3.0 and Windows SharePoint Services 2.0.
The patch removes the need for the previously recommended workarounds, which should therefore be reverted after installing the patch. The workarounds prevent specific server error messages from being displayed.