developerFusion is back for 2012 – best wishes for the New Year to all our readers.
Microsoft released an out-of-band security update Thursday to address a critical Denial of Service vulnerability in ASP.NET.
The attack was exposed last Wednesday at a security conference, whereby a hash collision attack was used against several web framework servers, including PHP and ASP.NET.
“Hash collision attacks attempt to populate a hash-table within a server app with large numbers of items whose keys resolve to the same hash code” writes Microsoft’s Scott Guthrie in announcing the patch. “These key collisions can significantly slow down operations on the hash-table, and with enough elements can cause a server to spend minutes (or even hours) processing them.”
The attack is possible through standard HTTP post requests and it can take very few of such requests to make the server unresponsive.
The gravity of this attack is clearly significant for Microsoft to release an update at this time. “We strongly encourage customers to deploy the update as soon as possible” continues Guthrie. “The security update does not require any code or application changes.”
The patch addresses Security Advisory 2659883 and is described in Security Bulletin 2638420 and is available through Windows Update, Windows Server Update Service, and the Microsoft website.
Comments