Posted on 29 December 2011.
Today Microsoft released a security bulletin addressing a flaw in ASP.NET that was disclosed early morning yesterday at the Chaos Communication Congress (CCC) in Berlin.Microsoft tested and finished MS11-100 in record time, taking about 30 days for the process of integrating this new vulnerability with the fix that was already scheduled for January 2012. We consider Microsoft's reaction and implementation speed outstanding, as they were only notified at the tail end of the German security researchers work.
We will be tracking how the other projects and vendors affected (PHP, Oracle, Phython, Ruby and others) are rolling out their patches.
The bulletin fixes the DOS attack vector by providing a limit to the number of variables that can be submitted for a single HTTP POST request. The default limit is 500 which should be enough for normal web applications, but still low enough to neutralize the attack as described by the security researchers in Germany.
This addresses the most obvious attack method immediately and leaves the reimplementation of the hash function for a future update.
Overall the bulletin addresses four issues: one critical, two important (one of them the DoS issue). We recommend installing as soon as possible if you have web based infrastructure that uses ASP.NET.
Resources:
Source: http://feedproxy.google.com/~r/HelpNetSecurity/~3/scDjx66gPT8/secworld.php
chapter 11 bankruptcy big ten acc challenge 2011 john wayne gacy amr jack del rio fired jack del rio fired made in america
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.