This is the Trace Id: 082d140663c0981865bb3f5ceca3c272
Skip to main content Report Security Vulnerability Report Abuse Report Infringement Submission FAQs Reporting Vulnerability Security Update Guide Exploitability index Developer API documentation Frequently Asked Questions Technical Security Notifications Glossary Microsoft Bug Bounty Programs Microsoft Active Protections Program BlueHat Security Conference Researcher Recognition Program Windows Security Servicing Criteria Researcher Resource Center Mission Cyber Defense Operations Center Coordinated Vulnerability Disclosure Social Microsoft Security Response Center Security Research & Defense BlueHat Conference Blog Security Researcher Acknowledgments Online Services Researcher Acknowledgments AI Safety Acknowledgements Security Researcher Leaderboard

Security Advisory 2416728 - Workaround Update

MSRC
/ By MSRC /

Hi everyone -

We’ve updated Microsoft Security Advisory2416728 to include a step in the workaround requiring the blocking of requests that specify the application error path on the querystring. This can be done using URLScan, a free tool for Internet Information Services (IIS) that can selectively block requests based on rules defined by the administrator. If your system is running Internet Information Services (IIS) on Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7, or Windows Server 2008 R2, you can alternatively use the Request Filtering feature.

If you’ve already implemented the workaround we’ve previously published, please add this additional step to help block attackers from exploiting the vulnerability.

Microsoft remains committed to taking the appropriate action to help protect our customers. Through our comprehensive monitoring, we continue to see limited active attacks. We want to assure you that we have teams working around the clock worldwide to develop a security update of appropriate quality for distribution to address this vulnerability. For additional information on the updated workaround, visit Scott Guthrie’s blog.

The Security Advisory will be updated with any new developments so if you are not already subscribed to our comprehensive alerts, please do so in order to be alerted by email when new information is added. Sign up here: http://technet.microsoft.com/en-us/security/dd252948.aspx

We will also keep customers apprised of any additional details and updates through the MSRC Blog.

Thanks,

Dave Forstrom

Director, Trustworthy Computing at Microsoft

Follow us on Twitter: @MSFTSecResponse

Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Marketplace Rewards Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads