- Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State form data, and possibly forge cookies or read application files, via a padding oracle attack.
- Install the appropriate hotfix as outlined in the Microsoft Security Bulletin MS10-070 (refer to 'Web references' section).
- Understanding the ASP.NET Vulnerability
- Important: ASP.NET Security Vulnerability
- Vulnerability in ASP.NET Could Allow Information Disclosure
- How to check if your application is vulnerable to the ASP.NET Padding Oracle Vulnerability
- Vulnerability in ASP.NET Could Allow Information Disclosure (MS10-070)