FAQ Released For Microsoft ASP.NET CryptographicException Attack

Scott Guthrie, Microsoft’s corporate vice president for the .NET platform, posted on his blog late Monday a FAQ about the ASP.NET CryptographicException vulnerability.


  • All versions of ASP.NET are affected. That includes WebForms and MVC versions 1 and 2.
  • Sharepoint is affected, too. A workaround on how to employ a new generic error document for Sharepoint is detailed at that team’s blog.
  • Everyone should employ the recommended workarounds.
  • You have to route all HTTP errors to the workaround’s generic error page. Otherwise, the hack still works.
  • A patch will be released as a Windows Update hotfix, but no release date has been set yet.
  • Check your logs for CryptographicException errors. If you see them, it’s possible you are being probed.

I take this very seriously. There’s a tool and video tutorial out there detailing how to run this exploit, so every script kiddie in the world is looking for sites to exploit, I am sure.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/faq-released-for-microsoft-asp-net-cryptographicexception-attack

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Current ye@r *