All, Is anyone aware of any guidance published by the Exchange team regarding the ASP.NET vulnerability? http://www.microsoft.com/technet/security/advisory/2416728.mspx Thanks,

On my experiments Exchange 2007 at least does seem to be vulnerable in that /owa/auth/webresource.axd will act as a padding oracle. This will allow an attacker to potentially compromise the ASP.NET machineKey. Now, I don't know enough about OWA to say whether is actually uses the ASP.NET machineKey for anything though. For example it doesn't seem to use ASP.NET's built-in forms auth so an attacker may not be able to easily forge a login cookie. To be sure, you may want to follow info in this thread from the ASP.NET forums to disable the built-in error handler used by OWA, just in case. For more information I did a blog post on it.

Thanks for the reply. I did see that thread on the asp.net forums, but hadn't noticed your blog. I'll take a look. My concern is more than just OWA, so many other functions in the CAS server are in IIS, I was hoping that the Exchange Team would publish some official guidance to verify that mitigating this vulnerability would not impact normal function of the CAS server.

Patch is coming out, Exchange team has vetted it: http://msexchangeteam.com/archive/2010/09/27/456453.aspx