Microsoft announces ASP.NET zero-day vuln
Workaround ahead of patch
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
Just in case anybody’s got a BOFH working at the moment, pay attention: Microsoft has released a security advisory covering a zero-day vulnerability in ASP.NET.
“The vulnerability exists due to the way that ASP.NET processes values in an ASP.NET form post causing a hash collision,” the advisory says. The vulnerability exposes users to denial-of-service attacks.
An attacker could craft an HTTP request containing thousands of form values, which would consume all of the CPU resources of the target machine. Sites serving only static pages are not vulnerable to the attack. “Sites that disallow application/x-www-form-urlencoded or multipart/form-data HTTP content types are not vulnerable”, the advisory states.
Microsoft is not yet aware of any exploits in the wild.
As a workaround ahead of the patch, according to the advisory, is to set a limit to the size of HTTP request the server will accept. ®
COMMENTS
Thank you for demonstrating why using open source technologies can be more dangerous than using Microsoft technologies in the real world.
As the post above stated (which you clearly did not read, because you know better) this issue actually affects multiple application platforms to varying degrees (PHP, Java, ASP.NET, v8, Python and Ruby) so unless your proposed Apache solution is to just serve static content – and your business won’t thank you for that - then it probably won't help at all.
Please read http://www.kb.cert.org/vuls/id/903934.
Microsoft is releasing a patch for this today:
http://blogs.technet.com/b/msrc/archive/2011/12/28/advanced-notification-for-out-of-band-release-to-address-security-advisory-2659883.aspx
All good Windows sysadmins will have a patching process in place and so will be applying this as soon as it can be tested against their production applications.
Meanwhile the open source evangelists will do nothing in the mistaken and arrogant belief that because their systems are not Microsoft they must be secure while they may well be vulnerable to this issue - and will likely remain so indefinitely without an established patching process in place.
When did you last patch your PHP/Ruby/Tomcat/Python installation?
luddite
Using Chrome! What are you? A luddite?
[alternative comment] Chrome? Here's a nickel kid, buy yourself a decent browser. [/alternative comment]
Re: A more permanent solution?
Wooooooohhhh... command line! You're really the man aren't you? Who cares if you didn't actually read the advisory and your solution doesn't fix the issue.
The main thing is that you did successfully read the word Microsoft and chipped in with the obligatory negative comments, and a bit of evangelism for fos, phrased in geeky command line terms.
Well done. You are truly one of the gang now.
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
