ASP.NET Security Update Shipping [MS11-100]
December 30, 2011 at 10:11 AM
—
Vulnerability in ASP.NET Could Allow Denial of Service
Security Vulnerability
On Dec 28th 2011, details were published at a security conference describing a new method to exploit hash-table data-structures used in web frameworks. Attacks targeting this type of vulnerability are generically known as “hash collision attacks”.
Hash collision attacks attempt to populate a hash-table within a server app with large numbers of items whose keys resolve to the same hash code. These key collisions can significantly slow down operations on the hash-table, and with enough elements can cause a server to spend minutes (or even hours) processing them. This can block a web server from processing requests from other users, and cause a denial of service (meaning the web site becomes unresponsive or slow).
Attacks such as these are not specific to any particular language or operating system. Presenters at the security conference discussed how to cause them using standard HTTP form posts against several different web frameworks (including ASP.NET). Because these attacks on web frameworks can create Denial of Service issues with relatively few HTTP requests, there is a high likelihood of attacks happening using this approach. We strongly encourage customers to deploy the update as soon as possible.
The security update we are releasing on Thursday, December 29th updates ASP.NET so that attackers can no longer perform these attacks. The security update does not require any code or application changes.
More info : http://technet.microsoft.com/en-us/security/advisory/2659883
Download Update
1. Windows Update (KB2656356)
2. Microsoft Download Center - http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=28573