Search
Homepage This page's url is: -crn-
Latest News Applications OS Channel Programs Cloud Components & Peripherals Data Center Internet of Things Managed Services Mobility Networking Running Your Business Security Storage Virtualization
All Carousels Applications OS Channel Programs Cloud Components & Peripherals Data Center Internet of Things Managed Services Mobility Networking Running Your Business Security Storage Virtualization
IT Operations Management Cloud Storage Remote Workforce Managed Security Monitoring as a Service Midmarket Opportunities IoT Platforms Cloud Partner Programs Software-defined Data Center Industry Trends Edge Computing
Citrix Wasabi Panduit VMware HP Inc. Veeam Spectrum Partner Program Mimecast Scale Computing
Rising Stars Showcase Dell Technologies Storage Learning Center Webroot Learning Center CRN Showcase Dell Technologies Cloud Learning Center Top 100 Executives Showcase Emerging Vendors Showcase Women of the Channel Showcase Sophos Cybersecurity Learning Center Disaster Recovery Learning Center Comcast Business Learning Center BlackBerry Cylance Learning Center Eaton Learning Center Symantec Business Security Learning Center
Rankings and Research Companies Channelcast Marketing Matters CRNtv Events WOTC Jobs HPE Zone Masergy Zenith Partner Program Newsroom Intel Partner Connect Digital Newsroom Dell Technologies World Newsroom Dell Technologies Newsroom IBM Newsroom The IoT Integrator NetApp Data Fabric Intel Tech Provider Zone

Microsoft Issues Security Warning For Zero-Day Bug

Microsoft says the newly discovered vulnerability in the ASP.NET framework could make a denial of service attack relatively easy to execute on a Web site.

By Antone Gonsalves December 28, 2011, 03:10 PM EST

Microsoft released a workaround for the flaw, which affects all versions of the Microsoft .NET framework. ASP.NET is the platform for building dynamic Web sites, applications and services.

The vulnerability is considered serious because an attacker could take down a site by consuming all CPU resources on a Web server, or cluster of servers, using a series of specially crafted, 100KB HTTP requests. Just one such request could consume 100 percent of one CPU core for between 90 and 110 seconds.

"An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial of service condition for even multi-core servers or cluster of servers," Suha and Jonathan Ness, engineers with Microsoft Security Response Center, said in a blog post.

Microsoft was unaware of any DoS attacks exploiting the vulnerability. Nevertheless, Microsoft decided to release a workaround, because detailed information on the flaw is publicly available.

Andrew Storms, director of security operations at nCircle, a network security and compliance auditing firm, said the vulnerability eliminated the need for a botnet to take a Web server down.

"Most DoS attacks rely on a huge number of small requests targeted at a specific web server to overwhelm it," Storms said in an e-mail statement. "In this case, a single request can consume a single core for 90 seconds. Queue up a few of these requests every few minutes and the site will be essentially knocked offline."

Storms said the method used to exploit the ASP.NET flaw, called a "hash collision attack," could also be used against other Web platform providers. "It's highly likely that this attack isn’t MS (Microsoft) specific and probably affects a number of vendors and we can expect other vendors to make similar zero-day announcements," he said. "Everybody will be scrambling to come up with mitigation advice and patch strategies."

Microsoft could release an emergency fix before its regularly scheduled monthly patch release in January. The company said it would decide after completing its investigation of the vulnerability.

Related Topics:
Back to Top

related stories

Video

 

sponsored resources