This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Microsoft publishes workaround for ASP.NET vulnerability

Share this article:
Microsoft fixes Internet Explorer and 'blue screen of death' vulnerabilities on Patch Tuesday
Microsoft fixes Internet Explorer and 'blue screen of death' vulnerabilities on Patch Tuesday

Microsoft published an advisory to provide a workaround to help protect ASP.NET customers from a publicly disclosed vulnerability that affects various web platforms.

Announced ahead of the New Year, Dave Forstrom, director of Microsoft Trustworthy Computing, said it was not aware of any attacks using this vulnerability, which affects all supported versions of the .NET Framework, but it recommended customers use the mitigation and workaround described in the advisory to help protect sites against this new method to exploit hash tables.

The denial-of-service vulnerability affects several vendors' web application platforms, including Microsoft's ASP.NET.

He said: “Our teams are working around the clock worldwide to develop a security update of appropriate quality to address this issue. We are also working closely with our Microsoft Active Protections Program (MAPP) to help our partners build protections when and where possible. We will continue to update customers with new information as it becomes available.”

Suha Can and Jonathan Ness from the Microsoft security research and defence team said the vulnerability could allow an attacker to efficiently consume all CPU resources on a web server, or even on a cluster of web servers.

“For ASP.NET in particular, a single specially crafted ~100kb HTTP request can consume 100 per cent of one CPU core for between 90 and 110 seconds. An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial-of-service condition for even multi-core servers or clusters of servers,” they said.

The advisory said it anticipates the imminent public release of exploit code. Wolfgang Kandek, CTO of Qualys, praised Microsoft's speed in responding to the research by the Chaos Communication Congress.

He said: “The bulletin fixes the denial-of-service attack vector by providing a limit to the number of variables that can be submitted for a single HTTP POST request. The default limit is 1,000, which should be enough for normal web applications, but still low enough to neutralise the attack as described by the security researchers in Germany. This addresses the most obvious attack method immediately and leaves the reimplementation of the hash function for a future update.

“Overall the bulletin addresses four issues: CVE-2011-3416 is an ASP.Net Forms Authentication Bypass issue which is rated as critical; CVE-2011-3414 is the hash table collision denial-of-service issue discussed above and is rated as important; CVE-2011-3417 is the ASP.NET Ticket Caching vulnerability, which is also rated as important; and CVE-2011-3415 is the Insecure Redirect vulnerability, which is rated as moderate. We recommend installing as soon as possible if you have web based infrastructure that uses ASP.NET.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Hundreds of companies face 2,000 cyber-attacks in EU exercise

Hundreds of companies face 2,000 cyber-attacks in EU ...

The European Network and Information Security Agency (ENISA) conducted a 24-hour cyber-exercise in which more than 200 organisations from 25 EU member states faced virtual cyber-attacks from white hat hackers ...

Cyber security still a learning curve for most companies

Cyber security still a learning curve for most ...

Poor network visibility, outdated security tools, a skills shortage and a lack of control in the cloud are just some of the reasons companies are struggling with cyber-security, say two ...

WorldPay hacker sentenced to 11 years for role in £6 million scheme

WorldPay hacker sentenced to 11 years for role ...

An Estonian man, who helped hack payment processor RBS WorldPay in 2008, has now been sentenced to 11 years in prison for his involvement in the £5.9 (US$ 9.4 million) ...