Microsoft Releases OOB Update to .NET

Due to a vulnerability in several programming languages, ASP.NET being one of them, Microsoft has released an Out of Band security update (MS11-100) to fix the problem. This vulnerability can bring down a website by using a small, bot-free, program sending HTTP requests. If you are running a web server, make sure you update your machines!

The problem that caused a stir in the security community exists in many of the Web’s most popular application and site programming languages, including ASP .Net, the open-source PHP and Ruby, Oracle’s Java and Google’s V8 JavaScript, according to two German researchers, Alexander Klink and Julian Walde.

Klink and Walde, who presented their findings at the Chaos Communication Congress (CCC) conference in Berlin on Wednesday, traced the flaw to those languages’ — and others’ — handling of hash tables, a programming structure used to quickly store and retrieve data.

Unless a language randomizes hash functions or takes into account "hash collisions" — when multiple data generates the same hash — attackers can calculate the data that will trigger large numbers of collisions, then send that data as a simple HTTP request. Because each collision chews up processing cycles on the targeted server, a hacker using relatively small attack packets could consume all the processing power of even well-equipped servers, effectively knocking them offline.

Microsoft confirmed that a single 100K specially-crafted HTTP request sent to a server running ASP .Net would consume 100% of one CPU core for 90-110 seconds.