Microsoft has confirmed that millions ow ASP.Net web applications are vulerable to attacks that could potentionally let the attacker decrypt data and read arbitary files on the remote web server. The vulnerability dubbed “oracle padding” is in the .Net framework, details here, tool (POET) here.
Microsoft will have to patch every supported version of Windows, from XP Service Pack 3 and Server 2003 to Windows 7 and Server 2008 R2, as well as other products, including its IIS and SharePoint server software. They has also released a tool to test for vulnerable web applications. That will definitely be included in my pentest kit.