Hi everyone -

We've just updated Microsoft Security Advisory 2416728 as we've begun to see limited attacks with the ASP.NET vulnerability.  We have added questions and answers and encourage customers to review this information and evaluate it for their environment. 

We have also added additional technical questions and answers to the Security and Defense blog, which has previously discussed the issue.  Additional and expanded questions will also be added to Scott Guthrie's blog shortly.

As always, we continue to advocate for community-based defense through coordinated vulnerability disclosure.  We fundamentally believe, and history has shown, that once vulnerability details are released publicly, the probability of exploitation rises significantly. Without coordination in place to provide a security update or proper guidance, risk to customers is greatly amplified. 

We'll update the security advisory and this blog with new information as it becomes available.

Thanks,

Dave Forstrom

Director, Trustworthy Computing at Microsoft.

Follow us on Twitter: @MSFTSecResponse