Quick action to patch ASP.NET vulnerability
Quick action to patch ASP.NET vulnerability
Written by Kay Ewbank   
Thursday, 29 December 2011

Microsoft is releasing an out-of-band security update today for an ASP.NET Security Vulnerability revealed yesterday, December 28, 2011.

The update overcomes a security hole that could be used to launch Denial of Service attacks, though Microsoft says it is currently unaware of any attacks on ASP.NET customers using this exploit.

aspnet

The problem doesn’t just affect ASP.NET; the method described would work with products including PHP 4 and 5, Java, Apache Tomcat and Geronimo, Jetty, Oracle Glassfish, Python, Plone, CRuby 1.8, JRuby and Rubinius v8, according to details posted on the gmane.comp.security full disclosure mailing list.

The details of the potential attack method were given at the Chaos Communication Congress conference, where security researchers Julian Wälde and Alexander Klink showed a new way to attack Web Application Frameworks which exploits hash-table data-structures.

According to Microsoft’s Security Bulletin, hash collision attacks attempt to populate a hash-table within a server app with large numbers of items whose keys resolve to the same hash code. These key collisions can significantly slow down operations on the hash-table, and with enough elements can cause a server to spend minutes (or even hours) processing them. This can block a web server from processing requests from other users, and cause a denial of service.

The bulletin also points out that because these attacks on web frameworks can create Denial of Service issues with relatively few HTTP requests, there is a high likelihood of attacks happening using this approach.

It’s worth noting that if your site disallows application/x-www-form-urlencoded or multipart/form-data HTTP content types, it won’t be vulnerable. However, Microsoft is releasing an out-of-band security update on Thursday, December 29 at approximately 10am Pacific Time.

 

aspnet

 

To be informed about new articles on I Programmer, subscribe to the RSS feed, follow us on Google+, Twitter, Linkedin or Facebook or sign up for our weekly newsletter.


Banner


Take A Deep Dive Into Development
22/09/2016

There are still places available for SDD Deep Dive 2016, a set of 3-day workshops taking place concurrently in London from November to . Book your place before midnight tomorrow to save £200.



//No Comment - Swift 3, Faster Parallel & Ruby 2.4.0
15/09/2016

Members of the IProgrammer team each have their own favorite languages and we try to keep up with all the latest developments. These are the most recent three and as we have nothing to add they are pr [ ... ]


More News

Last Updated ( Thursday, 29 December 2011 )
 
 

   
Banner
Banner
RSS feed of news items only
I Programmer News
Copyright © 2016 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.