Microsoft released a workaround for the flaw, which affects all versions of the Microsoft .NET framework. ASP.NET is the platform for building dynamic Web sites, applications and services.
The vulnerability is considered serious because an attacker could take down a site by consuming all CPU resources on a Web server, or cluster of servers, using a series of specially crafted, 100KB HTTP requests. Just one such request could consume 100 percent of one CPU core for between 90 and 110 seconds.
"An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial of service condition for even multi-core servers or cluster of servers," Suha and Jonathan Ness, engineers with Microsoft Security Response Center, said in a blog post.
Microsoft was unaware of any DoS attacks exploiting the vulnerability. Nevertheless, Microsoft decided to release a workaround, because detailed information on the flaw is publicly available.
Andrew Storms, director of security operations at nCircle, a network security and compliance auditing firm, said the vulnerability eliminated the need for a botnet to take a Web server down.
"Most DoS attacks rely on a huge number of small requests targeted at a specific web server to overwhelm it," Storms said in an e-mail statement. "In this case, a single request can consume a single core for 90 seconds. Queue up a few of these requests every few minutes and the site will be essentially knocked offline."
Storms said the method used to exploit the ASP.NET flaw, called a "hash collision attack," could also be used against other Web platform providers. "It's highly likely that this attack isn’t MS (Microsoft) specific and probably affects a number of vendors and we can expect other vendors to make similar zero-day announcements," he said. "Everybody will be scrambling to come up with mitigation advice and patch strategies."
Microsoft could release an emergency fix before its regularly scheduled monthly patch release in January. The company said it would decide after completing its investigation of the vulnerability.
related stories
trending stories
Video
sponsored resources

Cloud PPG Showcase

100 People You Should Know Showcase

APC by Schneider Electric
IoT Platforms 360

Vertiv
Edge Computing 360

Best of Breed Showcase

Annual Report Card Showcase

NexGen Showcase

Symantec
Symantec Business Security Learning Center

ConnectWise
ConnectWise

RSA
RSA

Micro Focus
Enterprise Application Software 360

NPD
Industry Trends 360

AT&T Cybersecurity
Cloud Security 360

Comcast
Comcast Business Learning Center

NetApp
NetApp Data Driven Learning Center

Veeam
Veeam

Silver Peak
Silver Peak Learning Center

BlackBerry Cylance
BlackBerry Cylance Learning Center

ID Agent
Managed Security 360

Wasabi
Wasabi

Sophos
Sophos Cybersecurity Learning Center

Storagecraft
Disaster Recovery Learning Center

Eaton
Eaton Learning Center

Lenovo
Lenovo Learning Center

Scale Computing
Scale Computing Learning Center

SonicWall
Network Security 360

Cohesity
Cohesity Learning Center

Sherweb
Cloud Partner Programs 360

Dell EMC
Software-defined Data Center 360
