Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Issuing Unusual Out-of-Band Security Update

Posted by timothy on from the rolls-downhill dept.

wiredmikey writes "In a rare move, Microsoft is breaking its normal procedures and will issue an emergency out-of-band security update on Thursday to address a hash collision attack vulnerability that came into the spotlight yesterday, and affects various Web platforms industry-wide. The vulnerability is not specific to Microsoft technologies and has been discovered to impact PHP 5, Java, .NET, and Google's v8, while PHP 4, Ruby, and Python are somewhat vulnerable. Microsoft plans to release the bulletin on December 29, 2011, at 10:00 AM Pacific Time, and said it would addresses security vulnerabilities in all supported releases of Microsoft Windows. 'The impact of this vulnerability is similar to other Denial of Service attacks that have been released in the past, such as the Slowloris DoS or the HTTP POST DoS,' said security expert Chris Eng. 'Unlike traditional DoS attacks, they could be conducted with very small amounts of bandwidth. This hash table multi-collision bug shares that property.'"

8 of 156 comments (clear)

  1. That is *not* out-of-band by Anonymous Coward · · Score: 4, Informative

    Out-of-band would involve them mailing a CD to recipients, or some other form of delivery other than the Internet.

    The phrase for which you were searching is "off-schedule".

  2. Re:Priorities by nman64 · · Score: 5, Informative

    That the DDoS exists is yesterday's news (nevermind that it didn't make the Slashdot front page.) The point of this post is that Microsoft is issuing an out-of-band update. A security-aware and in-touch admin should have already learned of the n.runs advisory yesterday. If they were really on top of things, they may have been aware of the potential danger as far back as 2003.

  3. 28th chaos communication congress revelead this by Anonymous Coward · · Score: 5, Informative

    the Chaos Computer Club is doing their congress at the moment and the hash collision problem was topic yesterday:

    28c3: Effective Denial of Service attacks against web application platforms
    http://www.youtube.com/watch?v=R2Cq3CLI6H8

  4. Re:Patents could have saved us! by Nerdfest · · Score: 4, Informative

    You do realize that patenting of patenting hash table parsing would mean that even if someone came up with a different way of doing it, it would still be in violation, don't you? That's one of the problems with software patents ... it's not the implementation that's patented, it's the idea.

  5. This presentation at 28C3 (with video) by praseodym · · Score: 4, Informative

    This research was presented by n.runs at the 28th Chaoas Communication Congress: http://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html.

    The presentation was recorded and can be viewed at http://www.youtube.com/watch?v=R2Cq3CLI6H8.

  6. Re:Changing a hash function... by vikingpower · · Score: 4, Informative

    Be advised that there IS collision resolution present in e.g. java.util.Hashtable; the default load factor is 0.75, which in practical use ( I've been playing with that class for over 12 years now ) is very close to optimal for run-of-the-mill uses. Also, there is the stratetegy of internal collision recording. I do agree, though, that it is not feasible to implement such tactics in the hashCode() method of any POJO. Which is, IMHO, a re-design of the java.lang.Object.hashCode() method would be worth thinking of.

    --
    Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
  7. If using PHP5, change max_input_time by Maow · · Score: 5, Informative

    I agree with others, this is not a Microsoft issue, it's an issue for all sysadmins.

    Anyway, from http://packetstormsecurity.org/files/108209/n.runs-SA-2011.004.txt is this helpful bit to reduce your susceptibility to attack, if you're using PHP:

    The maximal POST request size is typically limited to 8 MB, which when
    filled with a set of multi-collisions would consume about four hours of
    CPU time on an i7 core. Luckily, this time can not be exhausted because
    it is limited by the max_input_time (default configuration: -1,
    unlimited), Ubuntu and several BSDs: 60 seconds) configuration
    parameter. If the max_input_time parameter is set to -1 (theoretically:
    unlimited), it is bound by the max_execution_time configuration
    parameter (default value: 30).

  8. Better Writeup by inglorion_on_the_net · · Score: 5, Informative

    Here is a better writeup from Ars Technica: http://arstechnica.com/business/news/2011/12/huge-portions-of-web-vulnerable-to-hashing-denial-of-service-attack.ars

    From that page:

    the flaw affects a long list of technologies, including PHP, ASP.NET, Java, Python, Ruby, Apache Tomcat, Apache Geronimo, Jetty, and Glassfish, as well as Google's open source JavaScript engine V8

    the theory behind such attacks has been known since at least 2003

    Klink and WÃlde showed that "PHP 5, Java, ASP.NET as well as V8 are fully vulnerable to this issue and PHP 4, Python and Ruby are partially vulnerable, depending on version or whether the server running the code is a 32-bit or 64-bit machine

    The actual vulnerability seems to be that many web applications (or application servers or libraries or what have you) parse form data from HTTP POST requests into hash tables, using known hashing algorithms. If an attacker sends a POST request using specifically crafted parameter names that all hash to the same value, inserting these into the hash table will take O(n^2) time, which opens up affected software to a denial of service attack.

    --
    Please correct me if I got my facts wrong.