Microsoft Releases ASP.NET Patch

Microsoft has released a security update to patch an issue associated with Security Advisory 2659883. The vulnerability apparently affects all versions of Microsoft’s .NET Framework, and could allow a denial-of-service attack on servers for ASP.NET pages.

“The vulnerability exists due to the way that ASP.NET processes values in an ASP.NET form post causing a hash collision,” reads the Security Advisory, published on 28 December. “It is possible for the attacker to send a small number of specially crafted posts to an ASP.NET server, causing performance to degrade significantly enough to cause a denial-of-service condition.”

No exploits

Microsoft claims it is not aware of any specific exploits of the vulnerability. The patch (MS11-100) is rated Critical for Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5 Service Pack 1, Microsoft .NET Framework 3.5.1, and Microsoft .NET Framework 4 on “all supported editions of Microsoft Windows,” according to the company.

“We encourage affected customers to test and deploy the update as soon as possible,” Dave Forstrom, director of Microsoft Trustworthy Computing, wrote in a 29 December posting on the Microsoft Security Response Centre blog, adding that “consumers are not vulnerable unless they are running a web server from their computer.”

That represents an update from 28 December, when he wrote that Microsoft teams were working “around the clock worldwide” to address the issue.

According to one analyst, the MS11-100 patch is a peculiar milestone for Microsoft. “Microsoft ends this year with a nice, round 100 security bulletins, compared with 106 for last year,” Andrew Storms, director of security operations for nCircle, which provides vulnerability management and compliance audit solutions, wrote in a 29 December statement. “Today’s out-of-band patch is the first one this year, and it breaks what would have been a perfect record for Microsoft’s 2011 patch schedule.”

Other products affected

Nor is the vulnerability unique to ASP.NET. According to a list published by two researchers on gmane.comp.security, other potentially affected products include PHP 4 and 5, Java, Apache Tomcat and Geronimo, Jetty, Oracle Glassfish, Python, Plone, CRuby 1.8, JRuby and Rubinius v8.

Apache has already updated Tomcat for versions 7.0.x and 6.0.x, with another planned for 5.5.x, and presumably other vendors will be offering mitigation advice for their respective platforms.