Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cloud
    • Cybersecurity
    • Development

    Microsoft Releases Workarounds for DoS Zero-Day Bug in ASP.NET

    Written by

    Fahmida Y. Rashid
    Published December 28, 2011
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Microsoft has released a workaround for an ASP.NET vulnerability to help protect Websites against potential denial-of-service (DoS) attacks, according to a security advisory.

      The publicly disclosed vulnerability affects all supported versions of the .NET framework, but Microsoft is “not aware” of any attacks in the wild currently exploiting the flaw, Dave Forstrom, director of Microsoft Trustworthy Computing, wrote on the Microsoft Security Response Center blog on Dec. 28. While Microsoft is working on a patch to address the bug, Forstrom did not indicate when the fix will be available.

      An anonymous attacker could exploit the zero-day vulnerability to efficiently consume all CPU resources on a Web server, resulting in a denial-of-service condition, Suha Can and Jonathan Ness, MSRC engineers, wrote on the Security Research and Defense blog.

      The exploit uses a specially crafted HTTP request containing thousands of form values to create a hash table that is computationally expensive to process. Any ASP.NET Website that accepts form data is likely to be vulnerable, as well as Web servers running the default configuration of Internet Information Services (IIS) when ASP.NET is enabled, according to the post.

      “Our teams are working around the clock worldwide to develop a security update of appropriate quality to address the issue,” Forstrom wrote.

      Microsoft’s suggested workaround modifies the Web and application host configuration files to define a maximum limit to the request size that ASP.NET will accept, according to the security advisory. Decreasing the limit will also lower the “susceptibility” of the ASP.NET server and the Web application, Microsoft said. The configuration change will result in the server returning an error whenever a request exceeding the maximum limit is sent. However, applications that allow users to upload files may be impacted by the configuration change.

      An HTTP request that is merely 100KB in size can lock up 100 percent of a single CPU core for almost 2 minutes on the ASP.NET platform. Attackers could repeatedly send these requests and cause the server’s performance to degrade significantly and cause a denial of service. Can and Ness said the requests could even impact multicore servers and server clusters.

      Attacks exploiting this vulnerability would differ from typical DoS attacks because they won’t require a botnet or a lot of coordination to take the Web server down, Andrew Storms, director of security operations of nCircle, told eWEEK. While most DoS attacks rely on a huge number of small requests to overwhelm a Web server, in this case a single request can consume a single core for 90 seconds, he said.

      “Queue up a few of these requests every few minutes, and the site will be essentially knocked offline,” Storms said.

      Security researchers Julian W???lde and Alexander Klink presented the new way to attack Web Application Frameworks at the Chaos Communication Congress conference in Germany on Dec. 28. They also posted details of the vulnerability on the gmane.comp.security full disclosure mailing list.

      The zero-day vulnerability is not unique to ASP.NET, as the list of affected products include PHP 4 and 5, Java, Apache Tomcat and Geronimo, Jetty, Oracle Glassfish, Python, Plone, CRuby 1.8, JRuby and Rubinius v8, according to the post on the full disclosure list. While there are no active attacks in the wild, Microsoft anticipates an “imminent” release of exploit code, Can and Ness wrote.

      Storms predicted other vendors will be making similar zero-day announcements and coming up with mitigation advice for other platforms. Apache has already updated Tomcat for versions 7.0.x and 6.0.x and a release is planned for 5.5.x, Mark Thomas of the Apache Software Foundation Security Team told eWEEK. Other vendors have not responded to queries.

      “Every year around the holidays we get a security fire drill, and this year is no exception,” Storms said.

      Microsoft will deliver an emergency patch “pretty quickly,” possibly sometime this week, Storms predicted. Testing and deploying the emergency patch could pose a challenge for most enterprise IT teams, as they may be “running skeleton crews,” Storms said.

      ASP.NET Website owners should review the advisory to “evaluate the denial-of-service risk” and to implement the workaround and attack detection mechanisms to protect the sites until a security update is available, Microsoft recommended. The company is also working with partners through the Microsoft Active Protections Program to help build protections in other software products, according to Forstrom.

      Fahmida Y. Rashid
      Fahmida Y. Rashid

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×