back to article Microsoft announces ASP.NET zero-day vuln

Just in case anybody’s got a BOFH working at the moment, pay attention: Microsoft has released a security advisory covering a zero-day vulnerability in ASP.NET. “The vulnerability exists due to the way that ASP.NET processes values in an ASP.NET form post causing a hash collision,” the advisory says. The vulnerability exposes …

COMMENTS

This topic is closed for new posts.

Also...

"PHP 5, Java, ASP.NET as well as V8 are fully vulnerable to this issue and PHP 4, Python and Ruby are partially vulnerable, depending on version or whether the server running the code is a 32-bit or 64-bit machine"

http://www.nruns.com/_downloads/advisory28122011.pdf

2
0

There goes my day off.

0
0
Facepalm

Spell check yourself for crying out loud

Attrack...

Dude, I've got a spell checker in Chrome.

What are you? A squirrel typing inside a dead tree?

1
0
Anonymous Coward

luddite

Using Chrome! What are you? A luddite?

[alternative comment] Chrome? Here's a nickel kid, buy yourself a decent browser. [/alternative comment]

4
1
Anonymous Coward

A more permanent solution?

Two ideas for a more permanent solution:

apt-get remove microsoft-iis-5.0

apt-get install apache2

alternative instructions may be found here:

http://httpd.apache.org/docs/1.3/windows.html

;-)

1
12
Anonymous Coward

Thank you for demonstrating why using open source technologies can be more dangerous than using Microsoft technologies in the real world.

As the post above stated (which you clearly did not read, because you know better) this issue actually affects multiple application platforms to varying degrees (PHP, Java, ASP.NET, v8, Python and Ruby) so unless your proposed Apache solution is to just serve static content – and your business won’t thank you for that - then it probably won't help at all.

Please read http://www.kb.cert.org/vuls/id/903934.

Microsoft is releasing a patch for this today:

http://blogs.technet.com/b/msrc/archive/2011/12/28/advanced-notification-for-out-of-band-release-to-address-security-advisory-2659883.aspx

All good Windows sysadmins will have a patching process in place and so will be applying this as soon as it can be tested against their production applications.

Meanwhile the open source evangelists will do nothing in the mistaken and arrogant belief that because their systems are not Microsoft they must be secure while they may well be vulnerable to this issue - and will likely remain so indefinitely without an established patching process in place.

When did you last patch your PHP/Ruby/Tomcat/Python installation?

6
3
Facepalm

Dear Mr AC...you know what? I'm with the other AC. Read the advisory, and after tge paragraph which describes the type of error, and yes I'd agree that it *could* affect python or ruby or any other server side language, the issue here is that *is* affecting asp.net due to:

"...the way that ADO.NET processes values in an ADO.NET form post, causing hash collisions."

This isn't about ruby, or python, or anything else but ADO.NET.

So, as these projects haven't used Microsoft code for their hash table implementation, then I would suggest that such projects ad ruby and python are not affected by this microsoft code...of course they may have other problems, but the joy of FLOSS us that anyone - even you - can take a look at the code to make sure that the same problem doesn't occur there...now if we could only get a look at the code to see the mistake Microsoft made we could confirm whether the open source code made the same mistakes.

2
2
Go

@ac 09:23

Just out of curiosity, what would you expect from a change from IIS to Apache?

IIS and Apache are the worst performing web servers available.

Sure one is open source but frankly did you even *tried* to look at the actual code? If yes, did you understood it all? If no, do you even remotly know someone who did?

Here are two links (for impartiality) to performing web servers:

http://gwan.com/

http://www.lighttpd.net/

Cheers

0
1
Facepalm

No, it isn't about Microsoft code

It's about the hashing algorithm, which the paper explains quite clearly. So, although Ruby, v8, PHP and Java don't use the MS code, they _do_ use similar algorithms with the exact same problems. If you go back to the original paper, it's interesting to note that the original target was actually a Linux machine.

The real question here is that the underlying issue has been known since 2003 and only addressed by Perl and CRuby until now...

1
0
Bronze badge
FAIL

Re: A more permanent solution?

Wooooooohhhh... command line! You're really the man aren't you? Who cares if you didn't actually read the advisory and your solution doesn't fix the issue.

The main thing is that you did successfully read the word Microsoft and chipped in with the obligatory negative comments, and a bit of evangelism for fos, phrased in geeky command line terms.

Well done. You are truly one of the gang now.

3
1
Linux

no...that works

The issue here is a Microsoft issue. I mean....it really is, that's why they're releasing a patch for the 0 day vulnerability on their code. The permanent solution doesn't give a fully working ado.net solution back, but at least if someone posts to your website now, they won't be able to potentially break it for everyone.

Command line is good though cos you can at least cut and paste those lines to accomplish something. Think of it like administrative fuzzy felt.

2
5
Anonymous Coward

@Mike

You can cut and paste "apt" commands and actually achieve something, on Windows?

1
0
Anonymous Coward

Oh, come on

It's pseudo-code

0
0
Anonymous Coward

No...

It's psuedo-thinking, which seems to have been here in numbers that would shame Slashdot in the last week or so.

What has happened? Have the last few commenting adults had to deal with their families for Christmas and leave the comments forum to stroppy teenagers?

0
2
Coat

Isn't asp.net a denial of service per se?

Ok ---------------->[- ]

1
2
Windows

@mikeHegley

ADO.Net? I thought it was a 0 day vuln, not a -3000 day vuln =) But then I suppose all Microsoft technologies look the same to you.

1
0
This topic is closed for new posts.

Forums