ASP.NET Security Update Shipping Thursday, Dec 29th

Post Info

Author: ScottGu's Blog

Date: Thursday 29 December 2011

Full Post URL: http://weblogs.asp.net/scottgu/archive/2011/12/28/asp-net-security-update-shipping-thursday-dec-29th.aspx

Post Summary

A few minutes ago Microsoft released an advance notification security bulletin announcing that we are releasing an out-of-band security update to address an ASP.NET Security Vulnerability.

The security update we are releasing resolves a publicly disclosed Denial of Service issue present in all versions of ASP.NET.  We’re currently unaware of any attacks on ASP.NET customers using this exploit, but we strongly encourage customers to deploy the update as soon as possible. 

We are releasing the security update via Windows Update and the Windows Server Update Service.  You can also manually download and install it via the Microsoft Download Center.  We will release the update on Thursday, December 29th at approximately 10am Pacific Time (US and Canada).  We are announcing it ahead of time to ensure that administrators know that the security update is coming, and are prepared to apply it once it is available.

More about the Security Vulnerability

On Dec 28th 2011, details were published at a security conference describing a new method to exploit hash-table data-structures used in web frameworks.  Attacks targeting this type of vulnerability are generically known as “hash collision attacks”.

Hash collision attacks attempt to populate a hash-table within a server app with large numbers of items whose keys resolve to the same hash code.  These key collisions can significantly slow down operations on the hash-table, and with enough elements can cause a server to spend minutes (or even hours) processing them.  This can block a web server from processing requests from other users, and cause a denial of service (meaning the web site becomes unresponsive or slow).

Attacks such as these are not specific to any particular language or operating system.  Presenters at the security conference discussed how to cause them using standard HTTP form posts against several different web frameworks (including ASP.NET).  Because these attacks on web frameworks can create Denial of Service issues with relatively few HTTP requests, there is a high likelihood of attacks happening using this approach.  We strongly encourage customers to deploy the update as soon as possible.

The security update we are releasing on Thursday, December 29th updates ASP.NET so that attackers can no longer perform these attacks.  The security update does not require any code or application changes. 

Learn More

You can learn more about this security vulnerability from the Microsoft Security Advisory (2659883) we have already released.  We will release the security update on Windows Update, the Windows Server Update Service and the Microsoft Download Center on Thursday Dec 29th at approximately 10:00am Pacific Time (US and Canada).  We will also hold a webcast about this issue on Dec 29th at 1 p.m. PST. Click here to register.

If you have questions about the vulnerability or have any issues applying the update, you can post questions in the Security Vulnerability forum on the www.asp.net web-site.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Hope this helps,

Scott

A bit of a disclaimer

Please note that the content on this page does not belong to me in any way.

I've selected a number of blogs or news feeds here from sources that I value and am very pleased to share with others. I have no rights to the content shown on this page and, equally, have no responsibility for the opinions expressed.

I do not attempt to claim any credit for the value of this information, other than any credit that is associated with reading and enjoying it myself.