Microsoft Issues Emergency Patch for ASP.NET Vulnerability
Microsoft lately hastened in issuing a security update that was outside its normal cycle of patches for rectifying a DOS (denial-of-service) problem impacting ASP.NET editions 1.1 and beyond along with other variants that .NET supported, published softpedia.com dated 30th December 2011.
Reportedly, with name MS11-100, the security bulletin patches one flaw that arises with how ASP.NET hashes queries that are specially crafted. So as attackers inject malware inside hash tables, the resultant hash collisions inundate the CPU of a server to the extent of causing a DOS situation.
Now, alongside the above, Microsoft's security update fixes other flaws too.
Intriguingly, hackers have been found to execute phishing assaults through the exploitation of a spoofing security flaw, which checks on return URLs when the process of form validation occurs. Such exploitation allows criminals to divert end-users onto any malevolent site cunningly crafted for grabbing personal info.
A flaw letting validation bypass, which is found within ASP.NET forms can be harder for exploiting; however, once a cyber-criminal succeeds in creating one account at the time the software runs as well as becomes aware of the account-name aimed at, it could let him use any particular web-query for triggering an action like arbitrary code execution.
Worryingly, the vulnerability doesn't exist particularly within Microsoft's Web facilities since Java, PHP 5, v8, .NET, Python, Ruby and PHP 4 all are affected with it. People dealing with these other platforms will expectedly release likewise updates soon, but with vacation on, the process is sure to get delayed.
Additionally, it may be noted that the flaw in discussion isn't unknown as its discovery dates back to 2003 when CRuby and Pearl introduced certain alternations for foiling such assaults. Also, the Microsoft security patch addresses the problem on Windows XP, Vista, 7, Server 2003, Server 2008 as well as Server 2008 R2.
Director Dave Forstrom for Trustworthy Computing Unit, Microsoft advised consumers to try out the update and then install it at the earliest. According to him, end-users could be vulnerable when they had their computers operating active Web-servers, thus reported CRN during the end-week of December 2011.
Related article: Microsoft Patches Live OneCare to Tackle Quarantined E-Mails
» SPAMfighter News - 06-01-2012