Microsoft Issuing Unusual Out-of-Band Security Update 156
wiredmikey writes "In a rare move, Microsoft is breaking its normal procedures and will issue an emergency out-of-band security update on Thursday to address a hash collision attack vulnerability that came into the spotlight yesterday, and affects various Web platforms industry-wide. The vulnerability is not specific to Microsoft technologies and has been discovered to impact PHP 5, Java, .NET, and Google's v8, while PHP 4, Ruby, and Python are somewhat vulnerable. Microsoft plans to release the bulletin on December 29, 2011, at 10:00 AM Pacific Time, and said it would addresses security vulnerabilities in all supported releases of Microsoft Windows. 'The impact of this vulnerability is similar to other Denial of Service attacks that have been released in the past, such as the Slowloris DoS or the HTTP POST DoS,' said security expert Chris Eng. 'Unlike traditional DoS attacks, they could be conducted with very small amounts of bandwidth. This hash table multi-collision bug shares that property.'"
Re:Microsoft updates before Google and Oracle? (Score:5, Insightful)
Do you realize the irony of calling someone else a shill, given the content of your message?
It wasn't that long ago that Slashdot conversations were both rational and coherently written. Thanks for ruining both of those things for everyone.
Priorities (Score:5, Insightful)
Re:Microsoft updates before Google and Oracle? (Score:0, Insightful)
Technical Background (Score:5, Insightful)
Just to make it clear - this affects a whole lot of systems and is based on a flaw in the design of hash-tables:
http://packetstormsecurity.org/files/108209/n.runs-SA-2011.004.txt [packetstormsecurity.org]
Basically you can pre-calculate a huge set of POST parameter names which will all be hashed to the same value. Since these are stored in a hash-map by most web-frameworks - this will lead to a o(n) lookup time instead of a o(1) lookup time, when testing the hash-map for a given parameter name.
This will max out your cpu quite quickly depending on how many lookups you perform per request.
Since the attack has "script kiddie" difficulty, this needs to be patched ASAP by all vendors ... or we will see a lot a downtime on many public servers.
Re:Microsoft updates before Google and Oracle? (Score:4, Insightful)
No it wouldn't, there's PLENTY of obvious troll accounts on Slashdot. To be honest, it's all part of the parcel of Slashdot. The first post is generally a waste of time. The second post is usually also a waste of time, often someone trying to GET the first post. The real discussions happen further down, where the trolls can't be bothered to read.
Despite all the idiots, I still find slashdot to be a worthy place for discussion with plenty of insightful and knowledgeable people around - you just have to look for it.
Re:That is *not* out-of-band (Score:2, Insightful)
No, I believe "out-of-band" is correct, if you go by the following definition:
"In general language, out-of-band refers to communications which occur outside of a previously established communication method or channel"
The "Method or Channel" in this instance is Patch Tuesday.
Re:Changing a hash function... (Score:5, Insightful)
This is not an issue with a hash function. This is a security issue that involves validating external inputs to a program before attempting to operate on them.
The web servers shouldn't be attempting to store these values in a hashtable at all. Sanity checks should be rejecting requests that have too many parameters in the first place.