- All versions of ASP.NET are affected. That includes WebForms and MVC versions 1 and 2.
- Sharepoint is affected, too. A workaround on how to employ a new generic error document for Sharepoint is detailed at that team’s blog.
- Everyone should employ the recommended workarounds.
- You have to route all HTTP errors to the workaround’s generic error page. Otherwise, the hack still works.
- A patch will be released as a Windows Update hotfix, but no release date has been set yet.
- Check your logs for CryptographicException errors. If you see them, it’s possible you are being probed.
I take this very seriously. There’s a tool and video tutorial out there detailing how to run this exploit, so every script kiddie in the world is looking for sites to exploit, I am sure.
All links in this post on delicious: http://www.delicious.com/dougvdotcom/faq-released-for-microsoft-asp-net-cryptographicexception-attack