Microsoft today released a security bulletin and “out of band” update for a vulnerability affecting ASP.NET applications.
The early analysis on this vulnerability has called it extremely serious, but in MS10-070: Vulnerability in ASP.NET Could Allow Information Disclosure Microsoft classifies it as “Important” rather than “Critical.” The vulnerability could allow an attacker to view encrypted state on ASP.NET transactions. Nearly every version of Windows is listed as affected.
Initially the update will be available only through the Microsoft Download Center (click here). This makes it easier for Microsoft to deliver it quickly to those who really want it and will use it to test their installations. After they have some feedback from the real world, Microsoft will release the update through WSUS and Windows Update.