Microsoft has issued a rare out-of-band update to plug a vulnerability in the .NET Framwork. The bulletin (MS11-100) comes several weeks before the next regularly scheduled Patch Tuesday in mid-January and addresses a flaw that could allow attackers to exploit hash tables to perform a denial-of-service (DoS) attack against a website built with Microsoft's ASP.NET application framework.
Usually, DoS attacks require thousands of computers (often malware-controlled systems in a botnet) to overwhelm a site with requests. However, this opening would allow an attacker to cripple a vulnerable site by sending a certain type of HTTP request. Each request sent would consume 100% of one CPU core. Sending several of such requests could easily devour all of a server's processing resources.
"Attacks targeting this type of vulnerability are generically known as hash collision attacks," the company said, adding that the hole is not specific to Microsoft's Web services as it affects PHP 5, Java, .NET, v8 and to some extent PHP 4, Ruby and Python. The folks behind those platforms are expected to issue similar updates in the near future, but the holidays will undoubtedly delay that process.
It's worth noting that this vulnerability isn't new. It was discovered as far back as 2003, around which time Pearl and CRuby made some changes to thwart such attacks. Microsoft's patch has already rolled out on Windows Update for Windows XP, Server 2003, Vista, Server 2008, 7, and Server 2008 R2. On the bright side, the company's Security Bulletin page doesn't mention a mandatory reboot.