Microsoft Issues Security Warning For Zero-Day Bug
Microsoft released a workaround for the flaw, which affects all versions of the Microsoft .NET framework. ASP.NET is the platform for building dynamic Web sites, applications and services.
The vulnerability is considered serious because an attacker could take down a site by consuming all CPU resources on a Web server, or cluster of servers, using a series of specially crafted, 100KB HTTP requests. Just one such request could consume 100 percent of one CPU core for between 90 and 110 seconds.
"An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial of service condition for even multi-core servers or cluster of servers," Suha and Jonathan Ness, engineers with Microsoft Security Response Center, said in a blog post.
Microsoft was unaware of any DoS attacks exploiting the vulnerability. Nevertheless, Microsoft decided to release a workaround, because detailed information on the flaw is publicly available.
Andrew Storms, director of security operations at nCircle, a network security and compliance auditing firm, said the vulnerability eliminated the need for a botnet to take a Web server down.
"Most DoS attacks rely on a huge number of small requests targeted at a specific web server to overwhelm it," Storms said in an e-mail statement. "In this case, a single request can consume a single core for 90 seconds. Queue up a few of these requests every few minutes and the site will be essentially knocked offline."
Storms said the method used to exploit the ASP.NET flaw, called a "hash collision attack," could also be used against other Web platform providers. "It's highly likely that this attack isn’t MS (Microsoft) specific and probably affects a number of vendors and we can expect other vendors to make similar zero-day announcements," he said. "Everybody will be scrambling to come up with mitigation advice and patch strategies."
Microsoft could release an emergency fix before its regularly scheduled monthly patch release in January. The company said it would decide after completing its investigation of the vulnerability.