Forgot your password?
typodupeerror
Microsoft Programming Security

Microsoft Issuing Unusual Out-of-Band Security Update 156

Posted by timothy
from the rolls-downhill dept.
wiredmikey writes "In a rare move, Microsoft is breaking its normal procedures and will issue an emergency out-of-band security update on Thursday to address a hash collision attack vulnerability that came into the spotlight yesterday, and affects various Web platforms industry-wide. The vulnerability is not specific to Microsoft technologies and has been discovered to impact PHP 5, Java, .NET, and Google's v8, while PHP 4, Ruby, and Python are somewhat vulnerable. Microsoft plans to release the bulletin on December 29, 2011, at 10:00 AM Pacific Time, and said it would addresses security vulnerabilities in all supported releases of Microsoft Windows. 'The impact of this vulnerability is similar to other Denial of Service attacks that have been released in the past, such as the Slowloris DoS or the HTTP POST DoS,' said security expert Chris Eng. 'Unlike traditional DoS attacks, they could be conducted with very small amounts of bandwidth. This hash table multi-collision bug shares that property.'"
This discussion has been archived. No new comments can be posted.

Microsoft Issuing Unusual Out-of-Band Security Update

Comments Filter:
  • by Anonymous Coward on Thursday December 29, 2011 @10:35AM (#38525560)

    Do you realize the irony of calling someone else a shill, given the content of your message?

    It wasn't that long ago that Slashdot conversations were both rational and coherently written. Thanks for ruining both of those things for everyone.

  • Priorities (Score:5, Insightful)

    by rsmith-mac (639075) on Thursday December 29, 2011 @10:36AM (#38525570)
    There's a giant fucking DDoS bug in the hash table implementations of Java, PHP5, and Windows, and Slashdot presents it as a Windows security update?! Get your priorities straight and fix the title and the summary you nitwits, so that other admins see that this article is important. This is going to affect a lot more of us than just the Windows users.
  • by pro151 (2021702) on Thursday December 29, 2011 @10:52AM (#38525768)
    Will slashdot ever do away with the anonymous coward abilty to post? That would eliminate most of the trolls.
  • by Light303 (1335283) on Thursday December 29, 2011 @10:59AM (#38525830)

    Just to make it clear - this affects a whole lot of systems and is based on a flaw in the design of hash-tables:

    http://packetstormsecurity.org/files/108209/n.runs-SA-2011.004.txt [packetstormsecurity.org]

    Basically you can pre-calculate a huge set of POST parameter names which will all be hashed to the same value. Since these are stored in a hash-map by most web-frameworks - this will lead to a o(n) lookup time instead of a o(1) lookup time, when testing the hash-map for a given parameter name.
    This will max out your cpu quite quickly depending on how many lookups you perform per request.

    Since the attack has "script kiddie" difficulty, this needs to be patched ASAP by all vendors ... or we will see a lot a downtime on many public servers.

  • by neokushan (932374) on Thursday December 29, 2011 @11:04AM (#38525880)

    No it wouldn't, there's PLENTY of obvious troll accounts on Slashdot. To be honest, it's all part of the parcel of Slashdot. The first post is generally a waste of time. The second post is usually also a waste of time, often someone trying to GET the first post. The real discussions happen further down, where the trolls can't be bothered to read.

    Despite all the idiots, I still find slashdot to be a worthy place for discussion with plenty of insightful and knowledgeable people around - you just have to look for it.

  • by neokushan (932374) on Thursday December 29, 2011 @11:15AM (#38526010)

    No, I believe "out-of-band" is correct, if you go by the following definition:

    "In general language, out-of-band refers to communications which occur outside of a previously established communication method or channel"

    The "Method or Channel" in this instance is Patch Tuesday.

  • by Waffle Iron (339739) on Thursday December 29, 2011 @11:24AM (#38526168)

    This is not an issue with a hash function. This is a security issue that involves validating external inputs to a program before attempting to operate on them.

    The web servers shouldn't be attempting to store these values in a hashtable at all. Sanity checks should be rejecting requests that have too many parameters in the first place.

Life. Don't talk to me about life. - Marvin the Paranoid Anroid

Working...