Please read if you have public ASP.NET sites

Yesterday, a new crypto oracle-type vulnerability was publicly disclosed. It is an important vulnerability that is likely to be exploitable on a large proportion of ASP.NET sites, even those that are using configuration settings that were previously considered safe.

There is a workaround available already that should be set-up right now. You should pay a lot of attention to this and apply the workaround without trying to simplify it as that may result in your sites still being vulnerable. The issue is rather subtle (like pretty much all oracle attacks are).

Scott published a blog post with all the details that I will not attempt to reproduce here in order to minimize any chance of confusion.

Please go to Scott’s post, read it and do what you have to do.

It’s always a bummer when that sort of thing happens but now is the time to take action so that your sites don’t fall to an automated or manual attack in the next few days.

UPDATE: Scott published a FAQ on this issue:


Comments have been disabled for this content.