Important ASP.NET Security Vulnerability for ALL versions. and all app like sharepoint, dnn, reporting service. all aspx pages

MSFT just released one one Microsoft Security Advisory about a security vulnerability in ASP.NET.  This vulnerability exists in all versions of ASP.NET.

what’s can be used by attacker.

• request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data).
• even you DLL assembly in Bin directory. ( then they can use .net reflector to see all the source code. )

How to fix it.

• When error happened ( Exception get thrown 500 or File not exists, status 404 ), DO not return Dedicated Error code. (like 404 or 500, )
• FOR web.config, enable customers, mode to on or remoteonly. Remove the sub-error code mapping

<system.web>    <customErrors defaultRedirect="GenericError.htm"                  mode="RemoteOnly">      <error statusCode="404"              redirect="404.htm"/>       <error statusCode="403"              redirect="403.htm"/>    </customErrors> </system.web>

FOR Customized Handler or Http Module, Make sure status code is always 200 even there are some exception happened

if(userNoAccess==true) { response.StatusCode = 403; }   try { } catch(Exception ex) { Log.logError(ex); response.StatusCode = 500; } Change it to if(userNoAccess==true) { response.StatusCode = 200; }   try { } catch(Exception ex) { Log.logError(ex); response.StatusCode = 200; }

When will MSFT release the patch.
  

• it looks like the team is still on the investigation phase to get more details, I don't think it will take a long time.