Microsoft Ends Year With First Emergency Patch
Microsoft determined that the flaw was serious enough to warrant a fix outside the company's normal release schedule of the second Tuesday of each month. The latest patch, the first out-of-cycle fix this year, brought the number of security bulletins issued in 2011 to 100, compared to 106 last year.
"Microsoft has obviously been working overtime through the Christmas holiday to deliver an out-of-band patch for the DoS bug," Andrew Storms, director of security operations at nCircle, said in an e-mailed comment. NCircle is a network security and compliance auditing firm.
Dave Forstrom, director of Microsoft's Trustworthy Computing unit, recommended that customers test and deploy the update as soon as possible. "Consumers are not vulnerable unless they are running a Web server from their computer," he said in a statement.
Microsoft released a workaround for the flaw on Wednesday, as a stopgap measure until a permanent fix was available. An attacker could exploit the vulnerability to take down a site by consuming all CPU resources on a Web server or cluster of servers. To do that, the hacker would only need to send a series of specially crafted, 100 KB HTTP requests. Because of the flaw, each request would consume 100 percent of one CPU core.
Normally, DoS attacks require the use of thousands of Internet-connected computers bombarding a site with requests. The computers are often controlled by attackers using malware unknowingly installed by users of the PCs.
The method used to exploit the ASP.NET vulnerability is called a "hash collision attack." The flaw is not unique to the Microsoft platform. Other Web platform providers were also expected to issue patches, Storms said in an earlier comment. "Everybody will be scrambling to come up with mitigation advice and patch strategies."
Microsoft announced the existence of the vulnerability after detailed information on the flaw became publicly available. The company was unaware of any related DoS attacks.