December 30, 2011

Microsoft Releases Emergency Patch To Address Zero-Day Vulnerability

Microsoft released an emergency update for ASP .Net on Thursday, one day after a pair of security researchers unveiled findings showing that hackers could use a solitary machine and a broadband connection to launch denial-of-service (DoS) attacks against websites created using the programming language.

Speaking at the Chaos Communication Congress (CCC) in Berlin, German researchers Julian Wälde and Alexander Klink reported finding flaws not only in ASP .Net, but also open-source PHP and Ruby, Oracle's Java, and Google's V8 JavaScript that could put countless websites and Web applications at risk from DoS attacks, Computerworld's Gregg Keizer and eWeek's Fahmida Y. Rashid have reported.

Keizer said that Microsoft initially issued a security advisory, promising to patch the vulnerability and offering users a workaround that would help them protect themselves while the Redmond, Washington-based tech corporation worked on a solution to the flaw. The company then announced that they were shipping an emergency or "out-of-band" update.

That update, designated MS11-100, was released a 1pm ET on Thursday, Keizer said.

According to Rashid, the flaw, which has been dubbed the "zero-day vulnerability," can be exploited by cybercriminals to essentially consume all of a Web server's CPU resources, ultimately resulting in denial-of-service conditions.

"The exploit uses a specially crafted HTTP request containing thousands of form values to create a hash table that is computationally expensive to process," she wrote in a December 29 article. "Any ASP.NET Website that accepts form data is likely to be vulnerable, as well as Web servers running the default configuration of Internet Information Services (IIS) when ASP.NET is enabled, according to the post."

"An HTTP request that is merely 100KB in size can lock up 100 percent of a single CPU core for almost 2 minutes on the ASP.NET platform. Attackers could repeatedly send these requests and cause the server's performance to degrade significantly and cause a denial of service," Rashid added, noting that experts believe that the attack "could even impact multicore servers and server clusters."

Andrew Storms, the director of security operations at nCircle, told eWeek that this specific type of DoS attack differ from other, similar types because they do not require botnets or a coordinated effort in order to overwhelm an online server.

"An attacker with little resources can effectively take out a site fairly easily," Storms told Keizer.


On the Net: