Microsoft updated SA2416728 to include a step in the workaround requiring blocking of requests that specify the app error path on querystring. This additional step can be done at a server-wide level, and it doesn’t replace other steps in the original workaround, rather it should be done in addition to the steps already in it. Below are instructions on how to enable it:
Install and Enable IIS URLScan [x86, x64] with a Custom Rule. Add an Addition URL Scan Rule. Once URLScan is installed, open and modify UrlScan.ini file in this location: %windir%\system32\inetsrv\urlscan\UrlScan.ini —Near the bottom of UrlScan.ini file you’ll find [DenyQueryStringSequences] section. Add an additional “aspxerrorpath=” entry immediately below it and then save file:
Above entry disallows URLs that have an “aspxerrorpath=” querystring attribute from making their way to ASP.NET apps, and will instead cause web-server to return an HTTP error. Adding this rule prevents attackers from distinguishing between different types of errors occurring on a server – which helps block attacks using this vulnerability. After saving this change, run “iisreset” from elevated command prompt for the above changes to take effect. To verify the change has been made, try accessing a URL on your site/app that has a querystring with an aspxerrorpath and verify that an HTTP error is sent back from IIS.