This is not just a simple patch fix, and even well managed sites can have this issue.
This is driven by ASP.NET giving up too much information in error codes.
The big takeaway:
It is not enough to simply turn on CustomErrors or have it set to RemoteOnly. You also need to make sure that all errors are configured to return the same error page. This requires
you to explicitly set the “defaultRedirect” attribute
on the section and ensure that no per-status codes are set.
Here's the Scott Gu post
Get busy out there.