14 DAY TRIAL // On December 29, 2011, at 10:00 AM Pacific Time Microsoft will release an out-of-band security update to address a critical security flaw found in ASP.NET, that affects all supported versions of the .NET framework, which could allow for an unauthenticated denial-of-service (DoS) attack on servers that serve ASP.NET webpages.
These attacks that exploit hash tables, known as hash collision attacks, are not specific to Microsoft technologies, but other web service software providers may be affected.
The weakness exists because of the manner in which ASP.NET processes values in ASP.NET form post. An attacker could send a small number of specially crafted posts to an ASP.NET server, causing the machine’s performance to decrease enough to cause a DoS condition.
While the information is out there and hackers could take advantage of it, Microsoft is unaware of any active attacks that rely on this flaw.
Until the update is released, users should know that by default IIS is not enabled on currently supported versions of the operating system and sites that don’t allow application/x-www-form-urlencoded or multipart/form-data HTTP content types are not susceptible to an attack.
Basically, sites that only serve static content or those that disallow the dynamic content types mentioned above are not vulnerable.
The update will be made available for all versions of Windows, including Windows XP Service Pack 3, Windows Server 2008 and Windows 7 for 64-bit systems. All Windows operating system users are advised to install the update as soon as it’s released to prevent any unfortunate incidents.
For now, there are no further details on the issue that affects Windows 7 64-bit, but judging by what Microsoft revealed on its German blog last week, it’s unlikely that something might be done too soon. They haven’t provided any more details on that certain issue, last time we heard from them the problem was still being investigated.
Other web programing languages and applications are also susceptible to a similar DoS attack. Learn how this is possible.