Late last week Microsoft released Microsoft Security Advisory (2416728), “Vulnerability in ASP.NET Could Allow Information Disclosure. The vulnerability is being investigated by the Microsoft Security Research Center (MSRC). The Exchange team has just posted guidance for Exchange customers.
Head over to Microsoft Security Advisory 2416728, the ASP.NET Vulnerability, and Exchange Server for details.
Microsoft to release an Out of Band update on September 28
9/27/2010: In a blog post on the Microsoft Security Research Center (MSRC) blog, Dave Forstrom, Director of Trustworthy Computing, announced that an update to fix the ASP.NET vulnerability will be released tomorrow on Microsoft Download Center. The update will be pushed out broadly via Windows Update in a few days. More in Out of Band Release to Address Microsoft Security Advisory 2416728 on the MSRC blog.
Microsoft has released an advance notification for the out-of-band fix for the ASP.NET vulnerability. The fix will be released tomorrow. Microsoft will also hold a webcast to address customer questions tomorrow at 1:00 PM Pacific Time. More in the following advance notification.
Microsoft Security Bulletin Advance Notification for September 2010
Exchange team completes testing of ASP.NET security update
9/27/2010 10:07 PM: The Exchange team announced it has completed testing of the ASP.NET security update on Exchange Server 2010, 2007 and 2003, and advised customers apply the update once it’s available. More in UPDATE: Microsoft Security Advisory 2416728, the ASP.NET Vulnerability, and Exchange Server on the Exchange team blog.
Microsoft releases ASP.NET security update (MS10-070)
9/28/2010: Microsoft has released security updates to fix the ASP.NET vulnerability. See Microsoft Security Bulletin MS10-070 – Important
Vulnerability in ASP.NET Could Allow Information Disclosure (2418042).