bakedjake - 3:28 pm on Sep 20, 2010 (gmt 0)
If you're not using custom error pages on IIS/ASP.net, you need to be concerned.
Microsoft is investigating a new public report of a vulnerability in ASP.NET. An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config. This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server.
Vulnerability in ASP.NET Could Allow Information Disclosure [microsoft.com]
ScottGu's got more here [weblogs.asp.net]. Note that he recommends a single, solitary custom error page regardless of error returned. He also has a script to check if your are vulnerable or not.
Kaspersky has a video of the exploit being run on threatpost [threatpost.com].
No fix currently except the workaround mentioned above. Note that an attacker could use the vulnerability to read application configuration files containing keys or database passwords, so it's serious enough you should check it out as soon as possible.