Microsoft has issued a critical security patch to fix a vulnerability affecting all versions of Microsoft's .NET Framework.
Microsoft has released a
security update to patch an issue associated with Security
. The vulnerability apparently affects all versions of
Microsoft's .NET Framework, and could allow a denial-of-service attack on
servers for ASP.NET pages.
exists due to the way that ASP.NET processes values in an ASP.NET form post
causing a hash collision," reads the Security
, published Dec. 28. "It is possible for the attacker to send
a small number of specially crafted posts to an ASP.NET server, causing
performance to degrade significantly enough to cause a denial-of-service
Microsoft claims it is not
aware of any specific exploits of the vulnerability. The patch (MS11-100
is rated Critical for Microsoft .NET Framework 1.1 Service Pack 1, Microsoft
.NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5 Service Pack 1,
Microsoft .NET Framework 3.5.1, and Microsoft .NET Framework 4 on
"all supported editions of
Microsoft Windows," according to the company.
"We encourage affected
customers to test and deploy the update as soon as possible," Dave
Forstrom, director of Microsoft Trustworthy Computing, wrote in a Dec. 29
posting on the Microsoft Security
blog, adding that "consumers are not vulnerable unless
they are running a Web server from their computer."
That represents an update
from Dec. 28, when he wrote that Microsoft teams were working "around the
clock worldwide" to address the issue.
According to one analyst,
the MS11-100 patch is a peculiar milestone for Microsoft. "Microsoft ends
this year with a nice, round 100 security bulletins, compared with 106 for last
year," Andrew Storms, director of security operations for nCircle, which
provides vulnerability management and compliance audit solutions, wrote in a
Dec. 29 statement. "Today's out-of-band patch is the first one this year,
and it breaks what would have been a perfect record for Microsoft's 2011 patch
Nor is the vulnerability unique
to ASP.NET. According to a list published by two researchers on gmane.comp.security
other potentially affected products include PHP 4 and 5, Java, Apache Tomcat and
Geronimo, Jetty, Oracle Glassfish, Python, Plone, CRuby 1.8, JRuby and Rubinius
v8. Apache has already updated Tomcat for versions 7.0.x and 6.0.x, with
another planned for 5.5.x, and presumably other vendors will be offering
mitigation advice for their respective platforms.
Nicholas Kolakowski on Twitter