Vulnerability in ASP.NET Could Allow Information Disclosure

On Friday, September 17, Microsoft announced the discovery of a major security problem in any website using ASP.NET. Acceleration takes security very seriously, and pro-actively took steps to ensure the safety and privacy of our client sites and data.

To be clear, this security flaw is not a problem or error with individual websites.  It is a deeper issue with ASP.NET decryption error handling, in code developed and deployed by Microsoft.

Normally security updates of this sort are included in hosting fees, as they are provided by Microsoft as a server-wide updates.  Computer security researchers discover these flaws routinely, and whoever discovers the security holes usually gives Microsoft advanced notice so server-wide updates can be developed and deployed before the vulnerability is published.  In this case however, the flaw was announced prematurely, and Microsoft did not have time to provide a server-wide fix.  Microsoft did offer a per-website manual workaround that we applied and tested, going server-by-server and site-by-site.

For shared hosting and managed co-location clients, we have modified your web.config and added a error.aspx or error.html file (following Microsoft’s workaround).

For clients who develop their own website, please read through the changes we made to the web.config file(s).  To keep your site safe, you’ll need to adjust your source code accordingly so you don’t overwrite the fix when you next deploy your website.

For un-managed co-location clients, please read Microsoft Security Advisory (2416728): Vulnerability in ASP.NET Could Allow Information Disclosure and apply the fix to your affected sites.

See also: