Microsoft Issuing Unusual Out-of-Band Security Update 156
wiredmikey writes "In a rare move, Microsoft is breaking its normal procedures and will issue an emergency out-of-band security update on Thursday to address a hash collision attack vulnerability that came into the spotlight yesterday, and affects various Web platforms industry-wide. The vulnerability is not specific to Microsoft technologies and has been discovered to impact PHP 5, Java, .NET, and Google's v8, while PHP 4, Ruby, and Python are somewhat vulnerable. Microsoft plans to release the bulletin on December 29, 2011, at 10:00 AM Pacific Time, and said it would addresses security vulnerabilities in all supported releases of Microsoft Windows. 'The impact of this vulnerability is similar to other Denial of Service attacks that have been released in the past, such as the Slowloris DoS or the HTTP POST DoS,' said security expert Chris Eng. 'Unlike traditional DoS attacks, they could be conducted with very small amounts of bandwidth. This hash table multi-collision bug shares that property.'"
Microsoft updates before Google and Oracle? (Score:5, Interesting)
Now, now... (Score:4, Interesting)
Re:Priorities (Score:3, Interesting)
You've gotta love how /. reports this in an unbiased way :)
BTW it is not DDoS but just DoS (no distributed coordinated attack needed just a single request). Also it is not a bug in the hashtable implementation per se. You could argue that in the general case of a library hashtable one should prefer speed and predictability to DoS protection and use separate kind of HashTable for this kind of input. I am curious how companies will choose to patch this vulnerability.
no fix for Python in the making (Score:5, Interesting)
Also the fixes PHP 5.4rc (and tomcat, and
Re:That is *not* out-of-band (Score:3, Interesting)
You're wrong, though. Out-of-band has a very specific meaning. It refers to having a backup management channel that is independent from your main network in case you accidentally turn off the wrong port or get a cut. For example many of our Fiber Optic sites also have a dial-up modem tied to copper, just in case all the fiber goes down at once.
This security update is in no sense out of band, it's just expedited a bit.
Re:That is *not* out-of-band (Score:5, Interesting)
Out-of-band doesn't have a "specific" meaning, though, that's kind of the point. In your workplace, it may mean one thing, however in this context the meaning is different. It means something else entirely when you talk about network protocols, for example.
However, if you're still sure you're correct, rather than posting about it on slashdot, you might want to tell Microsoft themselves that they're using the wrong term: http://blogs.technet.com/b/msrc/archive/2011/12/28/advanced-notification-for-out-of-band-release-to-address-security-advisory-2659883.aspx [technet.com]
Re:Priorities (Score:2, Interesting)
"should prefer speed and predictability"
This is rubbish bullsh!t. Randomized hash function are as simple as adding a simple XOR with a value generated randomly when the application starts up.
For every get(...) or contains(...) in your hash maps you have do a SINGLE ADDITIONAL XOR.
Your "perfs" argument is full bullsh!t.
Btw Perl does just this and even if *you* consider it is a feature to not use a randomized hash function, today Perl is fine while web servers using hashmaps written in other languages are not...