Security Vulnerability in ASP.NET

Last week on Wednesday the 15th, EPiServer was alerted of a security vulnerability in Microsoft ASP.NET. We also learned that the details would be made publically available on a security conference in Argentina by two researchers on Friday later that week. Due to the indicated seriousness of the vulnerability, we made the investigation of this our top priority within the development department and on Thursday we could confirm that the exploit really existed as described. The vulnerability is in the ASP.NET encryption mechanism and parts of the exploit lie in how error messages are returned by the .NET Framework.

We acted according to our set processes in a situation as this and communicated with the main contacts at our partners so that they received relevant information about the matter. This was done well before the public announcement was made at the conference. EPiServer’s proposed workaround was more or less identical to the one announced by Microsoft later Friday evening, but with some additions. For more information regarding the vulnerability and the workaround, please read:

http://www.microsoft.com/technet/security/advisory/2416728.mspx

http://weblogs.asp.net/scottgu/archive/2010/09/20/frequently-asked-questions-about-the-asp-net-security-vulnerability.aspx

We advice everyone to take this threat very seriously and act accordingly.