New ASP.NET Security Vulnerability could allow access to web.config

This doesn't seem like something worth worrying about to me.<p>In order for this to happen to your site, you would have to have CustomErrors turned off, or otherwise have your site set up to display stack traces to the general public. That's a quick recipe to get your site hacked regardless of technology, so the fact that it leaves you a little more open to a specific type of crypto attack is neither here nor there.<p>So basically, if you're following best practices (not just for ASP.NET, but web dev in general) and not displaying stack traces to your users, you're not in danger of this happening to you.

The recommended temporary patch is horrible. They want servers to return 500 error with exactly the same message no matter what the problem is. That means 404 and any other custom error can't be returned to the user. The user has no idea what just happened and why they're seeing the error.<p>A patch is on the way to eventually make this unnecessary but there's absolutely no ETA for it. Are we talking days, weeks, (gasp) months? They do deserve credit for responding to the comments but it would be good to have a better ETA.

For those of you who don't know .net, this is basically where all the site specific configuration files lie - think database passwords, email servers, admin passwords to bootstrap the system, etc.<p>So this is kind of a big deal.