Microsoft closes 2011 with an emergency Windows Update

By on December 29, 2011, 5:00 PM

Microsoft has issued a rare out-of-band update to plug a vulnerability in the .NET Framwork. The bulletin (MS11-100) comes several weeks before the next regularly scheduled Patch Tuesday in mid-January and addresses a flaw that could allow attackers to exploit hash tables to perform a denial-of-service (DoS) attack against a website built with Microsoft's ASP.NET application framework.

Usually, DoS attacks require thousands of computers (often malware-controlled systems in a botnet) to overwhelm a site with requests. However, this opening would allow an attacker to cripple a vulnerable site by sending a certain type of HTTP request. Each request sent would consume 100% of one CPU core. Sending several of such requests could easily devour all of a server's processing resources.

"Attacks targeting this type of vulnerability are generically known as hash collision attacks," the company said, adding that the hole is not specific to Microsoft's Web services as it affects PHP 5, Java, .NET, v8 and to some extent PHP 4, Ruby and Python. The folks behind those platforms are expected to issue similar updates in the near future, but the holidays will undoubtedly delay that process.

It's worth noting that this vulnerability isn't new. It was discovered as far back as 2003, around which time Pearl and CRuby made some changes to thwart such attacks. Microsoft's patch has already rolled out on Windows Update for Windows XP, Server 2003, Vista, Server 2008, 7, and Server 2008 R2. On the bright side, the company's Security Bulletin page doesn't mention a mandatory reboot.

User Comments: 17

Got something to say? Post a comment
Gars Gars said:


logged just to say that today got some unusual lockups like:

- foobar

- utorrenent

- mpc

before that Ive experience a sound glitch

something like "high voltage" + "punk, you get it"

for now, things r common

hahahanoobs hahahanoobs said:

Funny I should see this after logging into my hotmail account about 20mins ago, and given a mandatory account password change, for someone else using my account. Sure enough in the sent box were eight addresses I didn't recognize, sent in the past couple weeks, with the only activity before that being in 2009.

Guest said:

Recently I downloaded Explorer 9 and ever since I have been having problems viewing some videos sites. For example if I bring up MSN and want to watch a news video I can hear the sounds but the picture isn't there or it is just bits and pieces like tile. I can videos of YouTube but many internet chat sites I can't see what I am typing. Does anyone have an idea of what's wrong. Before downloading, Explorer 7 worked fine. Thanks.

Guest said:

Guest your fault is using Internet explorer in the first place don't you know their are a hell of a lot more secure and faster alternatives to internet explorer?

Guest said:

You still use IE?

bigceebin4 said:

I have W7 on one machine and WHS 2011 on another (in the same office). I have been simultaneously updating them the past few days. I rely on ASP .NET quite a bit in, and all the update have referenced .NET or some security patch.

And please use Chrome..

Guest said:

I have installed this on a few servers, the majority did not require a reboot however one did. Overall a quick patch install without any problems.

jtennison said:

"... Security Bulletin page doesn't mention a mandatory reboot"

It required a reboot on my Win7-SP1 system!

superty12 superty12 said:

No surprise that this is how Microsoft welcomes a new year...

Guest said:

Why use IE? What has it done for you?

Dannyk0ed said:

IE was great,but then firefox came along.

Matthew Matthew, TechSpot Staff, said:

jtennison said:

"... Security Bulletin page doesn't mention a mandatory reboot"

It required a reboot on my Win7-SP1 system!

I didn't have to reboot on Win7 Home Premium x64.

Guest said:

4 diiferent machines--all WIN7.

No reboot.

Guest said:

Ditto no reboot.

gobbybobby said:

Check for updates but don't install. Win 7 64 bit. No updates in the last week, at all. I don;t use IE tho. Did A fresh install on another machine and im pretty sure this update was in there. My windows update on this machine says everything up to date which is odd looking at the update history its not on there... (Same version of windows)

fpsgamerJR62 said:

At least the guys at Microsoft didn't go home early for the holidays. This patch is most appreciated.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.