Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Issuing Unusual Out-of-Band Security Update

Posted by timothy on from the rolls-downhill dept.

wiredmikey writes "In a rare move, Microsoft is breaking its normal procedures and will issue an emergency out-of-band security update on Thursday to address a hash collision attack vulnerability that came into the spotlight yesterday, and affects various Web platforms industry-wide. The vulnerability is not specific to Microsoft technologies and has been discovered to impact PHP 5, Java, .NET, and Google's v8, while PHP 4, Ruby, and Python are somewhat vulnerable. Microsoft plans to release the bulletin on December 29, 2011, at 10:00 AM Pacific Time, and said it would addresses security vulnerabilities in all supported releases of Microsoft Windows. 'The impact of this vulnerability is similar to other Denial of Service attacks that have been released in the past, such as the Slowloris DoS or the HTTP POST DoS,' said security expert Chris Eng. 'Unlike traditional DoS attacks, they could be conducted with very small amounts of bandwidth. This hash table multi-collision bug shares that property.'"

18 of 156 comments (clear)

  1. Microsoft updates before Google and Oracle? by InterestingFella · · Score: 5, Interesting

    Why is Google not updating v8? And where is Java update? If Microsoft rushes to update their software before others, it is kind of telling. Well, good job for MS.

    1. Re:Microsoft updates before Google and Oracle? by Anonymous Coward · · Score: 5, Insightful

      Do you realize the irony of calling someone else a shill, given the content of your message?

      It wasn't that long ago that Slashdot conversations were both rational and coherently written. Thanks for ruining both of those things for everyone.

    2. Re:Microsoft updates before Google and Oracle? by neokushan · · Score: 4, Insightful

      No it wouldn't, there's PLENTY of obvious troll accounts on Slashdot. To be honest, it's all part of the parcel of Slashdot. The first post is generally a waste of time. The second post is usually also a waste of time, often someone trying to GET the first post. The real discussions happen further down, where the trolls can't be bothered to read.

      Despite all the idiots, I still find slashdot to be a worthy place for discussion with plenty of insightful and knowledgeable people around - you just have to look for it.

      --
      +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
    3. Re:Microsoft updates before Google and Oracle? by jhigh · · Score: 4, Funny

      I've been here a long time, and I can't say that I ever remember conversations being rational - although they are occasionally coherent.

      --
      Social Engineering Expert: Because there is no patch for stupidity.
  2. Priorities by rsmith-mac · · Score: 5, Insightful

    There's a giant fucking DDoS bug in the hash table implementations of Java, PHP5, and Windows, and Slashdot presents it as a Windows security update?! Get your priorities straight and fix the title and the summary you nitwits, so that other admins see that this article is important. This is going to affect a lot more of us than just the Windows users.

    1. Re:Priorities by nman64 · · Score: 5, Informative

      That the DDoS exists is yesterday's news (nevermind that it didn't make the Slashdot front page.) The point of this post is that Microsoft is issuing an out-of-band update. A security-aware and in-touch admin should have already learned of the n.runs advisory yesterday. If they were really on top of things, they may have been aware of the potential danger as far back as 2003.

  3. Now, now... by idbeholda · · Score: 4, Interesting

    Everyone has the right to post things that clearly show they're a complete retard. Unfortunately, it doesn't mean that they have ability to comprehend the result of their actions.

  4. That is *not* out-of-band by Anonymous Coward · · Score: 4, Informative

    Out-of-band would involve them mailing a CD to recipients, or some other form of delivery other than the Internet.

    The phrase for which you were searching is "off-schedule".

    1. Re:That is *not* out-of-band by neokushan · · Score: 5, Interesting

      Out-of-band doesn't have a "specific" meaning, though, that's kind of the point. In your workplace, it may mean one thing, however in this context the meaning is different. It means something else entirely when you talk about network protocols, for example.

      However, if you're still sure you're correct, rather than posting about it on slashdot, you might want to tell Microsoft themselves that they're using the wrong term: http://blogs.technet.com/b/msrc/archive/2011/12/28/advanced-notification-for-out-of-band-release-to-address-security-advisory-2659883.aspx

      Today we’re providing advance notification for an out-of-band security update to address the publicly disclosed issue described in Security Advisory 2659883. The release is scheduled for tomorrow, December 29, at approximately 10 a.m. PST.

      --
      +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
  5. Technical Background by Light303 · · Score: 5, Insightful

    Just to make it clear - this affects a whole lot of systems and is based on a flaw in the design of hash-tables:

    http://packetstormsecurity.org/files/108209/n.runs-SA-2011.004.txt

    Basically you can pre-calculate a huge set of POST parameter names which will all be hashed to the same value. Since these are stored in a hash-map by most web-frameworks - this will lead to a o(n) lookup time instead of a o(1) lookup time, when testing the hash-map for a given parameter name.
    This will max out your cpu quite quickly depending on how many lookups you perform per request.

    Since the attack has "script kiddie" difficulty, this needs to be patched ASAP by all vendors ... or we will see a lot a downtime on many public servers.

  6. 28th chaos communication congress revelead this by Anonymous Coward · · Score: 5, Informative

    the Chaos Computer Club is doing their congress at the moment and the hash collision problem was topic yesterday:

    28c3: Effective Denial of Service attacks against web application platforms
    http://www.youtube.com/watch?v=R2Cq3CLI6H8

  7. Re:Patents could have saved us! by Nerdfest · · Score: 4, Informative

    You do realize that patenting of patenting hash table parsing would mean that even if someone came up with a different way of doing it, it would still be in violation, don't you? That's one of the problems with software patents ... it's not the implementation that's patented, it's the idea.

  8. no fix for Python in the making by HTD · · Score: 5, Interesting

    What worries me the most is that according to the guys holding the presentation there was no reponse from the python team on that issue. Also plone, a web platform based on python, they tested their attack against it and notified the plone guys, didn't implement any countermeasures after being notified. This was fixed in perl in 2003, it's interesting that the opensource community didn't bother to check the hashtable implementations of all other languages back then. Are they in competition not telling others that something important needs to be fixed? Java devs, chose not to change their hash algo in 2003 BTW because it is a too integral part. Well the modified version is in use for 8 years in perl, might wanna upgrade it this time ;)
    Also the fixes PHP 5.4rc (and tomcat, and ...) implemented are just workarounds that were already available before with the suhosin extension for example. Limiting the number of variables you can POST is a wannabe fix, can be circumvented with JSON for example (given that the app uses json_decode() on the receiving end).

  9. This presentation at 28C3 (with video) by praseodym · · Score: 4, Informative

    This research was presented by n.runs at the 28th Chaoas Communication Congress: http://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html.

    The presentation was recorded and can be viewed at http://www.youtube.com/watch?v=R2Cq3CLI6H8.

  10. Re:Changing a hash function... by vikingpower · · Score: 4, Informative

    Be advised that there IS collision resolution present in e.g. java.util.Hashtable; the default load factor is 0.75, which in practical use ( I've been playing with that class for over 12 years now ) is very close to optimal for run-of-the-mill uses. Also, there is the stratetegy of internal collision recording. I do agree, though, that it is not feasible to implement such tactics in the hashCode() method of any POJO. Which is, IMHO, a re-design of the java.lang.Object.hashCode() method would be worth thinking of.

    --
    Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
  11. Re:Changing a hash function... by Waffle+Iron · · Score: 4, Insightful

    This is not an issue with a hash function. This is a security issue that involves validating external inputs to a program before attempting to operate on them.

    The web servers shouldn't be attempting to store these values in a hashtable at all. Sanity checks should be rejecting requests that have too many parameters in the first place.

  12. If using PHP5, change max_input_time by Maow · · Score: 5, Informative

    I agree with others, this is not a Microsoft issue, it's an issue for all sysadmins.

    Anyway, from http://packetstormsecurity.org/files/108209/n.runs-SA-2011.004.txt is this helpful bit to reduce your susceptibility to attack, if you're using PHP:

    The maximal POST request size is typically limited to 8 MB, which when
    filled with a set of multi-collisions would consume about four hours of
    CPU time on an i7 core. Luckily, this time can not be exhausted because
    it is limited by the max_input_time (default configuration: -1,
    unlimited), Ubuntu and several BSDs: 60 seconds) configuration
    parameter. If the max_input_time parameter is set to -1 (theoretically:
    unlimited), it is bound by the max_execution_time configuration
    parameter (default value: 30).

  13. Better Writeup by inglorion_on_the_net · · Score: 5, Informative

    Here is a better writeup from Ars Technica: http://arstechnica.com/business/news/2011/12/huge-portions-of-web-vulnerable-to-hashing-denial-of-service-attack.ars

    From that page:

    the flaw affects a long list of technologies, including PHP, ASP.NET, Java, Python, Ruby, Apache Tomcat, Apache Geronimo, Jetty, and Glassfish, as well as Google's open source JavaScript engine V8

    the theory behind such attacks has been known since at least 2003

    Klink and WÃlde showed that "PHP 5, Java, ASP.NET as well as V8 are fully vulnerable to this issue and PHP 4, Python and Ruby are partially vulnerable, depending on version or whether the server running the code is a 32-bit or 64-bit machine

    The actual vulnerability seems to be that many web applications (or application servers or libraries or what have you) parse form data from HTTP POST requests into hash tables, using known hashing algorithms. If an attacker sends a POST request using specifically crafted parameter names that all hash to the same value, inserting these into the hash table will take O(n^2) time, which opens up affected software to a denial of service attack.

    --
    Please correct me if I got my facts wrong.