Microsoft Patches ASP.NET Vulnerability

 
 
By Nicholas Kolakowski  |  Posted 2011-12-29 Email Print this article Print
 
 
 
 
 
 
 

Microsoft has issued a critical security patch to fix a vulnerability affecting all versions of Microsoft's .NET Framework.

Microsoft has released a security update to patch an issue associated with Security Advisory 2659883. The vulnerability apparently affects all versions of Microsoft's .NET Framework, and could allow a denial-of-service attack on servers for ASP.NET pages.

"The vulnerability exists due to the way that ASP.NET processes values in an ASP.NET form post causing a hash collision," reads the Security Advisory, published Dec. 28. "It is possible for the attacker to send a small number of specially crafted posts to an ASP.NET server, causing performance to degrade significantly enough to cause a denial-of-service condition."

Microsoft claims it is not aware of any specific exploits of the vulnerability. The patch (MS11-100) is rated Critical for Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5 Service Pack 1, Microsoft .NET Framework 3.5.1, and Microsoft .NET Framework 4 on "all supported editions of Microsoft Windows," according to the company.

"We encourage affected customers to test and deploy the update as soon as possible," Dave Forstrom, director of Microsoft Trustworthy Computing, wrote in a Dec. 29 posting on the Microsoft Security Response Center blog, adding that "consumers are not vulnerable unless they are running a Web server from their computer."

That represents an update from Dec. 28, when he wrote that Microsoft teams were working "around the clock worldwide" to address the issue.

According to one analyst, the MS11-100 patch is a peculiar milestone for Microsoft. "Microsoft ends this year with a nice, round 100 security bulletins, compared with 106 for last year," Andrew Storms, director of security operations for nCircle, which provides vulnerability management and compliance audit solutions, wrote in a Dec. 29 statement. "Today's out-of-band patch is the first one this year, and it breaks what would have been a perfect record for Microsoft's 2011 patch schedule."

Nor is the vulnerability unique to ASP.NET. According to a list published by two researchers on gmane.comp.security, other potentially affected products include PHP 4 and 5, Java, Apache Tomcat and Geronimo, Jetty, Oracle Glassfish, Python, Plone, CRuby 1.8, JRuby and Rubinius v8. Apache has already updated Tomcat for versions 7.0.x and 6.0.x, with another planned for 5.5.x, and presumably other vendors will be offering mitigation advice for their respective platforms.

Follow Nicholas Kolakowski on Twitter 

 


 
 
 
 
Nicholas Kolakowski is a staff editor at eWEEK, covering Microsoft and other companies in the enterprise space, as well as evolving technology such as tablet PCs. His work has appeared in The Washington Post, Playboy, WebMD, AARP the Magazine, AutoWeek, Washington City Paper, Trader Monthly, and Private Air. He lives in Brooklyn, New York.
 
 
 
 
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel