Microsoft Issues Critical Out-of-Band Security Update for .NET Framework

Pulkit Chandna

You can step into the new year feeling more secure, thanks to an important security update from Microsoft. The Redmond company on Thursday issued an out-of-band security update that addresses a “critical” denial-of-service (DoS) vulnerability (CVE-2011-3414) that affects Microsoft’s ASP.NET, among other web application platforms. Hit the jump for more.

With this out-of-band patch ( MS11-100 ), Microsoft has completed a century of security updates in 2011. Writing on the Security Research and Defense blog, the Microsoft Security Response Center (MSRC) team thanked the ASP.NET team for the “hours and hours of work spent over the holiday on this issue.”

If exploited successfully, the said vulnerability could allow an attacker to exhaust all CPU resources on a web server, or even a cluster of servers, the company revealed in a blog post earlier this week. It blamed the vulnerability on a “computationally expensive hash table insertion mechanism triggered by an HTTP request containing thousands and thousands of form values.”

“For ASP.NET in particular, a single specially crafted ~100kb HTTP request can consume 100% of one CPU core for between 90 – 110 seconds. An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial of service condition for even multi-core servers or clusters of servers.”

But the said DoS vulnerability is not the only one addressed by this security bulletin. It also includes patches for three other vulnerabilities, including a Critical Elevation-of-Privilege vulnerability. As for the remaining two, one is rated “moderate” and the other “important.” Apparently, an update for these three vulnerabilities was ready for dispatch when the company received notification of the DoS vulnerability. That security update was then put on hold until a fix was ready for the DoS vulnerability.

Around the web