Critical security update for ASP.NET over holiday

developerFusion is back for 2012 – best wishes for the New Year to all our readers.

Microsoft released an out-of-band security update Thursday to address a critical Denial of Service vulnerability in ASP.NET.

The attack was exposed last Wednesday at a security conference, whereby a hash collision attack was used against several web framework servers, including PHP and ASP.NET.

“Hash collision attacks attempt to populate a hash-table within a server app with large numbers of items whose keys resolve to the same hash code” writes Microsoft’s Scott Guthrie in announcing the patch. “These key collisions can significantly slow down operations on the hash-table, and with enough elements can cause a server to spend minutes (or even hours) processing them.”

The attack is possible through standard HTTP post requests and it can take very few of such requests to make the server unresponsive.

The gravity of this attack is clearly significant for Microsoft to release an update at this time. “We strongly encourage customers to deploy the update as soon as possible” continues Guthrie. “The security update does not require any code or application changes.”

The patch addresses Security Advisory 2659883 and is described in Security Bulletin 2638420 and is available through Windows Update, Windows Server Update Service, and the Microsoft website.

You might also like...



Why not write for us? Or you could submit an event or a user group in your area. Alternatively just tell us what you think!

Our tools

We've got automatic conversion tools to convert C# to VB.NET, VB.NET to C#. Also you can compress javascript and compress css and generate sql connection strings.

“Hofstadter's Law: It always takes longer than you expect, even when you take into account Hofstadter's Law.”