The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 4,261 other subscribers
«
»

Patch your ASP.NET servers ASAP: ASP.NET Security Update Shipping Thursday, Dec 29th – ScottGu’s Blog

Posted by jpluimers on 2011/12/29

Quotes:

The security update we are releasing resolves a publicly disclosed Denial of Service issue present in all versions of ASP.NET.  We’re currently unaware of any attacks on ASP.NET customers using this exploit, but we strongly encourage customers to deploy the update as soon as possible.

Attacks such as these are not specific to any particular language or operating system. Presenters at the security conference discussed how to cause them using standard HTTP form posts against several different web frameworks (including ASP.NET). Because these attacks on web frameworks can create Denial of Service issues with relatively few HTTP requests, there is a high likelihood of attacks happening using this approach. We strongly encourage customers to deploy the update as soon as possible.

The security update we are releasing on Thursday, December 29th updates ASP.NET so that attackers can no longer perform these attacks. The security update does not require any code or application changes.

During the 28e Chaos Communication Congress in Germany, on December 28, 2011 a security vulnerability was showed that potentially can DOS many types of web servers (including ASP.NET) with a carefully crafted 100 kilobyte plain HTTP form post request.

Information on the ASP.NET vulnerability was published by Microsoft on December 27, 2011.

ASP.NET on all supported .NET versions (1.0 SP3, 1.1 SP1, 2.0 SP2, 3.5 SP1, 4.0) on all supported Windows versions (XP, Server 2003 and R2, Vista, 7, Server 2008 and R2) are affected.

Since the vulnerability as being very severe, Microsoft will publish an out of band fix today (December 29, 2011) at around 10 AM Pacific time (during winter, this 1800 UTC) on Windows Update, Windows Server Update and the Microsoft Download Center followed 3 hours later by a webcast at 01 PM Pacific time (2100 UTC).

More about about 28C3 in German.

–jeroen

via: ASP.NET Security Update Shipping Thursday, Dec 29th – ScottGu’s Blog.

This entry was posted on 2011/12/29 at 06:44 and is filed under .NET, ASP.NET, Development, Software Development. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Patch your ASP.NET servers ASAP: ASP.NET Security Update Shipping Thursday, Dec 29th – ScottGu’s Blog”

  1. Many more web platforms vulnerable to the hash collision attack (not only ASP.NET) #28C3 @hashDoS #hashDoS @ccc « The Wiert Corner – irregular stream of Wiert stuff said

    2011/12/29 at 14:18

    […] Patch your ASP.NET servers ASAP: ASP.NET Security Update Shipping Thursday, Dec 29th – ScottGu… […]

    Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«
»