back to article Microsoft announces ASP.NET zero-day vuln

Just in case anybody’s got a BOFH working at the moment, pay attention: Microsoft has released a security advisory covering a zero-day vulnerability in ASP.NET. “The vulnerability exists due to the way that ASP.NET processes values in an ASP.NET form post causing a hash collision,” the advisory says. The vulnerability exposes …

COMMENTS

This topic is closed for new posts.
  1. fiddley

    Also...

    "PHP 5, Java, ASP.NET as well as V8 are fully vulnerable to this issue and PHP 4, Python and Ruby are partially vulnerable, depending on version or whether the server running the code is a 32-bit or 64-bit machine"

    http://www.nruns.com/_downloads/advisory28122011.pdf

    1. AndrewV

      There goes my day off.

  2. Antoine Dubuc
    Facepalm

    Spell check yourself for crying out loud

    Attrack...

    Dude, I've got a spell checker in Chrome.

    What are you? A squirrel typing inside a dead tree?

    1. Anonymous Coward
      Anonymous Coward

      luddite

      Using Chrome! What are you? A luddite?

      [alternative comment] Chrome? Here's a nickel kid, buy yourself a decent browser. [/alternative comment]

  3. Anonymous Coward
    Anonymous Coward

    A more permanent solution?

    Two ideas for a more permanent solution:

    apt-get remove microsoft-iis-5.0

    apt-get install apache2

    alternative instructions may be found here:

    http://httpd.apache.org/docs/1.3/windows.html

    ;-)

    1. Anonymous Coward
      Anonymous Coward

      Thank you for demonstrating why using open source technologies can be more dangerous than using Microsoft technologies in the real world.

      As the post above stated (which you clearly did not read, because you know better) this issue actually affects multiple application platforms to varying degrees (PHP, Java, ASP.NET, v8, Python and Ruby) so unless your proposed Apache solution is to just serve static content – and your business won’t thank you for that - then it probably won't help at all.

      Please read http://www.kb.cert.org/vuls/id/903934.

      Microsoft is releasing a patch for this today:

      http://blogs.technet.com/b/msrc/archive/2011/12/28/advanced-notification-for-out-of-band-release-to-address-security-advisory-2659883.aspx

      All good Windows sysadmins will have a patching process in place and so will be applying this as soon as it can be tested against their production applications.

      Meanwhile the open source evangelists will do nothing in the mistaken and arrogant belief that because their systems are not Microsoft they must be secure while they may well be vulnerable to this issue - and will likely remain so indefinitely without an established patching process in place.

      When did you last patch your PHP/Ruby/Tomcat/Python installation?

      1. mikeHingley
        Facepalm

        Dear Mr AC...you know what? I'm with the other AC. Read the advisory, and after tge paragraph which describes the type of error, and yes I'd agree that it *could* affect python or ruby or any other server side language, the issue here is that *is* affecting asp.net due to:

        "...the way that ADO.NET processes values in an ADO.NET form post, causing hash collisions."

        This isn't about ruby, or python, or anything else but ADO.NET.

        So, as these projects haven't used Microsoft code for their hash table implementation, then I would suggest that such projects ad ruby and python are not affected by this microsoft code...of course they may have other problems, but the joy of FLOSS us that anyone - even you - can take a look at the code to make sure that the same problem doesn't occur there...now if we could only get a look at the code to see the mistake Microsoft made we could confirm whether the open source code made the same mistakes.

        1. PeteA
          Facepalm

          No, it isn't about Microsoft code

          It's about the hashing algorithm, which the paper explains quite clearly. So, although Ruby, v8, PHP and Java don't use the MS code, they _do_ use similar algorithms with the exact same problems. If you go back to the original paper, it's interesting to note that the original target was actually a Linux machine.

          The real question here is that the underlying issue has been known since 2003 and only addressed by Perl and CRuby until now...

    2. Tchou
      Go

      @ac 09:23

      Just out of curiosity, what would you expect from a change from IIS to Apache?

      IIS and Apache are the worst performing web servers available.

      Sure one is open source but frankly did you even *tried* to look at the actual code? If yes, did you understood it all? If no, do you even remotly know someone who did?

      Here are two links (for impartiality) to performing web servers:

      http://gwan.com/

      http://www.lighttpd.net/

      Cheers

  4. Anonymous Coward
    FAIL

    Re: A more permanent solution?

    Wooooooohhhh... command line! You're really the man aren't you? Who cares if you didn't actually read the advisory and your solution doesn't fix the issue.

    The main thing is that you did successfully read the word Microsoft and chipped in with the obligatory negative comments, and a bit of evangelism for fos, phrased in geeky command line terms.

    Well done. You are truly one of the gang now.

    1. mikeHingley
      Linux

      no...that works

      The issue here is a Microsoft issue. I mean....it really is, that's why they're releasing a patch for the 0 day vulnerability on their code. The permanent solution doesn't give a fully working ado.net solution back, but at least if someone posts to your website now, they won't be able to potentially break it for everyone.

      Command line is good though cos you can at least cut and paste those lines to accomplish something. Think of it like administrative fuzzy felt.

      1. Anonymous Coward
        Anonymous Coward

        @Mike

        You can cut and paste "apt" commands and actually achieve something, on Windows?

        1. Anonymous Coward
          Anonymous Coward

          Oh, come on

          It's pseudo-code

          1. Anonymous Coward
            Anonymous Coward

            No...

            It's psuedo-thinking, which seems to have been here in numbers that would shame Slashdot in the last week or so.

            What has happened? Have the last few commenting adults had to deal with their families for Christmas and leave the comments forum to stroppy teenagers?

  5. Tchou
    Coat

    Isn't asp.net a denial of service per se?

    Ok ---------------->[- ]

  6. James Fox
    Windows

    @mikeHegley

    ADO.Net? I thought it was a 0 day vuln, not a -3000 day vuln =) But then I suppose all Microsoft technologies look the same to you.

This topic is closed for new posts.

Other stories you might like