Topic: Microsoft's security advisory for zero-day vulnerability in ASP.NET

[Samker]

Just in case anybody’s got a BOFH working at the moment, pay attention: Microsoft has released a security advisory covering a zero-day vulnerability in ASP.NET.

“The vulnerability exists due to the way that ASP.NET processes values in an ASP.NET form post causing a hash collision,” the advisory says: http://technet.microsoft.com/en-us/security/advisory/2659883 The vulnerability exposes users to denial-of-service attacks.

An attacker could craft an HTTP request containing thousands of form values, which would consume all of the CPU resources of the target machine. Sites serving only static pages are not vulnerable to the attack. “Sites that disallow application/x-www-form-urlencoded or multipart/form-data HTTP content types are not vulnerable”, the advisory states.

Microsoft is not yet aware of any exploits in the wild.

As a workaround ahead of the patch, according to the advisory, is to set a limit to the size of HTTP request the server will accept.

(ElReg)