The ASP.NET community should be relatively safe once again. After a nasty scare over a vulnerability, Microsoft’s made a security update available, and there are several different ways for people to take advantage of it.
A little background information on the seriousness of this problem (which Scott Guthrie provided towards the beginning of the incident): “An attacker using this vulnerability can request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data).”
What’s more, “An attacker exploiting this vulnerability can also decrypt data sent to the client in an encrypted state (like ViewState data within a page).”
So the flaw posed a definite threat. Fortunately, as we mentioned earlier, Microsoft came up with a solution, and administrators can seek it out in the Microsoft Download Center if they like.
It’s possible administrators can save themselves that slight inconvenience, too, as Microsoft also made it possible to access the fix through Windows Update and Windows Server Update Services.
Administrators should just be sure they patch everything one way or another, as Microsoft officially considers the matter important (via its “Aggregate Severity Rating”) and word of the problem has almost certainly gotten around by now.