Defuse the Ticking Bomb in your SharePoint Sites

Update: An out-of-band patch for this issue has now been released. Please see the SharePoint Team Blog for details.

By now, you have probably heard about the ASP.NET security flaw that was discovered over the weekend. SharePoint has been an ASP.NET based application for the last several versions, so it stands to reason that it would be affected by any problems discovered in the core platform. However, there has been some conflicting information with regard to just how (and how much) this affects SharePoint - in particular whether all versions are affected, or just SharePoint 2010.

The latest word is that you need to apply workarounds if you are using either SharePoint 2010 or SharePoint 2007. This also applies to SharePoint Foundation 2010 and Windows SharePoint Services 3.0, as well as SharePoint Portal Server 2003 and Windows SharePoint Services 2.0. (Updated to include confirmation of the older product impact.)

While it is good practice to harden any SharePoint environment, it is particularly critical to apply updates and security measures to public-facing sites. If you have not already done so, please immediately go to the official SharePoint Team Blog site and read their update for information about how to configure SharePoint to mitigate this critical ASP.NET issue. The article regarding this issue is regularly updated, and directly linked below:

Security Advisory 2416728 (Vulnerability in ASP.NET) and SharePoint.

This issue affects virtually all ASP.NET Versions

Please remember, this is not "just" a SharePoint issue - it affects all ASP.NET applications, from all vendors. Even if you don't use SharePoint, you should check with your software supplier to determine what steps should be taken to mitigate any risks in your environments.