In a security advisory Microsoft has confirmed the vulnerability in the process used by ASP.NET applications to encrypt cookies and other session information. In the announcement for the security advisory, Microsoft said it was not, so far, aware of any attacks. However, the security group do encourage users to “review the advisory for mitigations and workarounds”. A blog entry describes how to implement the workarounds and offers a script to help administrator determine whether their ASP.NET applications are vulnerable.
Read the full article here.