As we previously communicated on September 17, Microsoft released Microsoft Security Advisory (2416728), “Vulnerability in ASP.NET Could Allow Information Disclosure.” In our last post on this issue we reported that Microsoft is investigating a new public report of a vulnerability in ASP.NET and that further details would be provided once a fix was released. We are now confirming that Microsoft will be releasing an out of band security update on September 28th which will address the specific issue reported in the bulletin.
The Exchange Server team has completed validation of this fix against Microsoft Exchange Server 2010, 2007 and 2003 and we are pleased to report that we have not identified any issues related to the application of this patch on an Exchange Server.
We recommend that Exchange customers consider applying this fix to all of their Exchange Servers which have an affected version of ASP.NET installed on the underlying Operating System in a timely manner to help protect against any attempts to exploit this vulnerability within their environment.
Additional information about the original issue can also be found in Understanding the ASP.NET Vulnerability on the Microsoft Security Research and Defense blog, and in the following blog posts by Microsoft .NET Developer Platform Vice President Scott Guthrie: