Loading User Information from Channel 9
Something went wrong getting user information from Channel 9
Loading User Information from MSDN
Something went wrong getting user information from MSDN
Loading Visual Studio Achievements
Something went wrong getting the Visual Studio Achievements
It was RCE because with a web.config you get the machine key of the ASP.NET application. With the machine key of the ASP.NET application you can sign any data as part of the ViewState, which means that you can fabricate malicious viewstate which is then deserialized. And although it wasn't widely known at the time, the deserializer was vulnerable to RCE (CVE-2013-3171).
So tl;dr is that the web.config oracle was RCE at the time if your web.config contained a machine key and used viewstates anywhere in your application.
Even now it's more than an information disclosure; with the machine key you can still get an arbitrary file delete from the ASP.NET machine account (which isn't many files, but it isn't zero files either), and this bug has been around since at least 2012.
Then, like I suggest, you take it up with TWC. You've said you're internal before, so you should know the routes.
Then perhaps you can ask MSRC to reclassify. The maximum security impact given to bulletins is a subject of much discussion and we always choose the most serious. Building a new auth token and having code act on it isn't an RCE.
Not true. It wasn't discovered by code reviewing but by testing of the binaries, black box testing, as you would also do with closed source.
According to Karjalainen, he and Hietamäki were testing some new features for Codenomicon's protocol test suite with a feature called Heartbeat, which sends data between servers to see if it comes back unaltered.
Also, at the time, every other browser that was released didn't conform to standards, either. Firefox at first didn't. Chrome at first didn't. Safari at first didn't. Opera at first didn't. It took each of them some time to get up to code. In the mean time, web devs often had to do work-arounds to deal with the quirks of each of them. It was quite annoying.
And then they started adding their own features, and pushing for those to become standards. Which is why HTML5 is kinda a mess. And google's HTML5 "standard" demos only work in Chrome.