On September 17, Microsoft released Microsoft Security Advisory (2416728), “Vulnerability in ASP.NET Could Allow Information Disclosure.” As stated in the advisory, Microsoft is investigating a new public report of a vulnerability in ASP.NET. Additional information about the issue can also be found in Understanding the ASP.NET Vulnerability on the Microsoft Security Research and Defense blog, and in the following blog posts by Microsoft .NET Developer Platform Vice President Scott Guthrie:
- Important: ASP.NET Security Vulnerability
- Frequently asked questions about the ASP.NET security vulnerability
All Microsoft Exchange versions starting with Exchange 2003 use ASP.NET in a manner where potential for this vulnerability exists. However, if you have implemented a default configuration within your environment there are only a handful of files which may contain sensitive data that could be potentially accessed. In addition this sensitive data is only useable if the attacker has managed to penetrate the additional defense layers built into Exchange.
Read more at source: http://msexchangeteam.com/archive/2010/09/23/456399.aspx