A new security vulnerability has recently been discovered in all ASP.Net sites including both WebForms and MVC. This is a high priority vulnerability and if you manage any ASP.Net sites you should aim to get the work around in place as soon as possible.

Microsoft are currently working on a hot fix but have yet to give an estimate on when this will be rolled out so until then a work around is your only option.

The vulnerability allows your ViewState to be decrypted and also potentially allows your web.config to be retrieved and decrypted over http making any sensitive information stored in there available to the attacker.

The attack works by sending requests to the site that causes errors. The attacker sends cipher text to the site and then monitors the errors, from this it is able to tell if the cipher was decrypted correctly by looking at the error returned. Eventually the attacker is able to learn enough about the encryption to decrypt cipher text on its own.

Scott Gu has put together a great post on implementing the work around on his blog, please follow the steps in his article to ensure your sites are protected from this kind of attack.