CVE Number | Vulnerability | Product | Severity | Date |
---|---|---|---|---|
MS10-070 | Vulnerability in ASP.NET Could Allow Information Disclosure (2418042) | Windows 7 | Critical | 29-09-2010 |
Technical Information
Brief overview of the risk:
This security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure.
Detailed Information on the risk:
An information disclosure vulnerability exists in ASP.NET due to improper error handling during encryption padding verification. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system.
Further information on this exploit is available at : MS10-070
Affected Software
Windows 7 for 32-bit SystemsWindows 7 for x64-based Systems
Windows Server 2008 for 32-bit Systems Service Pack 2**
Windows Server 2008 for 32-bit Systems**
Windows Server 2008 for Itanium-based Systems
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2**
Windows Server 2008 for x64-based Systems**
Windows Server 2008 R2 for Itanium-based Systems
Windows Server 2008 R2 for x64-based Systems