Categories: SecurityWorkspace

Microsoft Releases ASP.NET Patch

Microsoft has released a security update to patch an issue associated with Security Advisory 2659883. The vulnerability apparently affects all versions of Microsoft’s .NET Framework, and could allow a denial-of-service attack on servers for ASP.NET pages.

“The vulnerability exists due to the way that ASP.NET processes values in an ASP.NET form post causing a hash collision,” reads the Security Advisory, published on 28 December. “It is possible for the attacker to send a small number of specially crafted posts to an ASP.NET server, causing performance to degrade significantly enough to cause a denial-of-service condition.”

No exploits

Microsoft claims it is not aware of any specific exploits of the vulnerability. The patch (MS11-100) is rated Critical for Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5 Service Pack 1, Microsoft .NET Framework 3.5.1, and Microsoft .NET Framework 4 on “all supported editions of Microsoft Windows,” according to the company.

“We encourage affected customers to test and deploy the update as soon as possible,” Dave Forstrom, director of Microsoft Trustworthy Computing, wrote in a 29 December posting on the Microsoft Security Response Centre blog, adding that “consumers are not vulnerable unless they are running a web server from their computer.”

That represents an update from 28 December, when he wrote that Microsoft teams were working “around the clock worldwide” to address the issue.

According to one analyst, the MS11-100 patch is a peculiar milestone for Microsoft. “Microsoft ends this year with a nice, round 100 security bulletins, compared with 106 for last year,” Andrew Storms, director of security operations for nCircle, which provides vulnerability management and compliance audit solutions, wrote in a 29 December statement. “Today’s out-of-band patch is the first one this year, and it breaks what would have been a perfect record for Microsoft’s 2011 patch schedule.”

Other products affected

Nor is the vulnerability unique to ASP.NET. According to a list published by two researchers on gmane.comp.security, other potentially affected products include PHP 4 and 5, Java, Apache Tomcat and Geronimo, Jetty, Oracle Glassfish, Python, Plone, CRuby 1.8, JRuby and Rubinius v8.

Apache has already updated Tomcat for versions 7.0.x and 6.0.x, with another planned for 5.5.x, and presumably other vendors will be offering mitigation advice for their respective platforms.

Nicholas Kolakowski eWEEK USA 2013. Ziff Davis Enterprise Inc. All Rights Reserved.

Share
Published by
Nicholas Kolakowski eWEEK USA 2013. Ziff Davis Enterprise Inc. All Rights Reserved.
Tags: patch

Recent Posts

Northvolt Mulls US Bankruptcy Protection – Report

Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…

1 day ago

FTC Plans Investigation Into Microsoft Cloud Business – Report

Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC

1 day ago

Programmer Sentenced To Five Years In Prison For Bitcoin Laundering

Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…

1 day ago

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

2 days ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

2 days ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

2 days ago