Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
Home > News > Security > Security Fixes and Improvements

December 29th, 2011, 07:40 GMT · By Eduard Kovacs

Microsoft Releases Out-of-Band Security Bulletin for ASP.NET/IIS on All Windows Versions

SHARE:

Adjust text size:


Microsoft to release out-of-band security bulletin
Enlarge picture
On December 29, 2011, at 10:00 AM Pacific Time Microsoft will release an out-of-band security update to address a critical security flaw found in ASP.NET, that affects all supported versions of the .NET framework, which could allow for an unauthenticated denial-of-service (DoS) attack on servers that serve ASP.NET webpages.

These attacks that exploit hash tables, known as hash collision attacks, are not specific to Microsoft technologies, but other web service software providers may be affected.

The weakness exists because of the manner in which ASP.NET processes values in ASP.NET form post. An attacker could send a small number of specially crafted posts to an ASP.NET server, causing the machine’s performance to decrease enough to cause a DoS condition.

While the information is out there and hackers could take advantage of it, Microsoft is unaware of any active attacks that rely on this flaw.

Until the update is released, users should know that by default IIS is not enabled on currently supported versions of the operating system and sites that don’t allow application/x-www-form-urlencoded or multipart/form-data HTTP content types are not susceptible to an attack.

Basically, sites that only serve static content or those that disallow the dynamic content types mentioned above are not vulnerable.

The update will be made available for all versions of Windows, including Windows XP Service Pack 3, Windows Server 2008 and Windows 7 for 64-bit systems. All Windows operating system users are advised to install the update as soon as it’s released to prevent any unfortunate incidents.

For now, there are no further details on the issue that affects Windows 7 64-bit, but judging by what Microsoft revealed on its German blog last week, it’s unlikely that something might be done too soon. They haven’t provided any more details on that certain issue, last time we heard from them the problem was still being investigated.

Other web programing languages and applications are also susceptible to a similar DoS attack. Learn how this is possible.

TELL US WHAT YOU THINK:

2,902 hits · 1 comment · Link to this article · Print article · Send to friend · Subscribe to news

MUST-READ RELATED ARTICLES:


Microsoft Confirms Windows 7 Vulnerability
Microsoft Lottery Promises Millions in Spam Campaign
Hacker Finds Way to Exploit Windows 7 64-Bit Using Safari
Microsoft Releases December Security Updates, Fix for Duqu Vulnerability Included
Microsoft to Patch 20 Vulnerabilities with December 2011 Security Bulletins

READER COMMENTS:


Comment #1 by: Joe on 29 Dec 2011, 17:30 UTC reply to this comment

Microsoft is classing this out of band patch as a "Elevation of Privilege" impact level, so it's not just a denial of service issue. Or maybe they're patching multiple problems with one patch.

Copyright © 2001-2012 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2012 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use