We have published a .vbs script that you can save and run on your
web-server to determine if there are ASP.NET applications installed on it that
either have <customErrors> turned off, or which differentiate error
messages depending on status codes.
You can download the .vbs script here. Simply copy/paste the script into a text file
called “DetectCustomErrors.vbs” and save it to disk. Then launch a
command window that is elevated as admin and run “cscript
DetectCustomErrors.vbs” to run it against your local web-server. It will
enumerate all of the applications within your web server and verify that the
correct <customErrors> configuration has been specified.
It will flag any application where it finds that an
application’s web.config file doesn’t have the <customErrors> section (in
which case you need to add it), or doesn’t have it set correctly to workaround
this attack (in which case you need to update it). It will print “ok” for
each application web.config file it finds that is fine. This should
hopefully make it easier to locate issues.
Note: We have developed this detection script over the last
few hours, and will be refining it further in the future. I will post an
update in this section each time we make a change to it.
How to Find More Information about this Vulnerability
You can learn more about this vulnerability from:
Microsoft Security Advisory 2416728
Understanding the ASP.NET Vulnerability
Microsoft Security Response Center Blog Post