Microsoft has released a security update to patch an issue associated with Security Advisory 2659883. The vulnerability apparently affects all versions of Microsoft’s .NET Framework, and could allow a denial-of-service attack on servers for ASP.NET pages.
“The vulnerability exists due to the way that ASP.NET processes values in an ASP.NET form post causing a hash collision,” reads the Security Advisory, published on 28 December. “It is possible for the attacker to send a small number of specially crafted posts to an ASP.NET server, causing performance to degrade significantly enough to cause a denial-of-service condition.”
Microsoft claims it is not aware of any specific exploits of the vulnerability. The patch (MS11-100) is rated Critical for Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5 Service Pack 1, Microsoft .NET Framework 3.5.1, and Microsoft .NET Framework 4 on “all supported editions of Microsoft Windows,” according to the company.
“We encourage affected customers to test and deploy the update as soon as possible,” Dave Forstrom, director of Microsoft Trustworthy Computing, wrote in a 29 December posting on the Microsoft Security Response Centre blog, adding that “consumers are not vulnerable unless they are running a web server from their computer.”
According to one analyst, the MS11-100 patch is a peculiar milestone for Microsoft. “Microsoft ends this year with a nice, round 100 security bulletins, compared with 106 for last year,” Andrew Storms, director of security operations for nCircle, which provides vulnerability management and compliance audit solutions, wrote in a 29 December statement. “Today’s out-of-band patch is the first one this year, and it breaks what would have been a perfect record for Microsoft’s 2011 patch schedule.”
Nor is the vulnerability unique to ASP.NET. According to a list published by two researchers on gmane.comp.security, other potentially affected products include PHP 4 and 5, Java, Apache Tomcat and Geronimo, Jetty, Oracle Glassfish, Python, Plone, CRuby 1.8, JRuby and Rubinius v8.
Apache has already updated Tomcat for versions 7.0.x and 6.0.x, with another planned for 5.5.x, and presumably other vendors will be offering mitigation advice for their respective platforms.
Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…
Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC
Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…
Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…
Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…
Elon Musk continues to provoke the ire of various leaders around the world with his…