Description

Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State form data, and possibly forge cookies or read application files, via a padding oracle attack.

Remediation

Install the appropriate hotfix as outlined in the Microsoft Security Bulletin MS10-070 (refer to 'Web references' section).

References

Related Vulnerabilities