The Tech Herald

Microsoft releases patch for hash collision DoS

by Steve Ragan - Dec 30 2011, 00:35

Microsoft releases patch for hash collision DoS.(IMG:J.Anderson)

Microsoft and several other platform developers have either addressed, or are currently working to resolve, a hash collision problem, which if exploited can trigger a denial-of-service condition. On Thursday, Microsoft pushed an emergency patch to address the issue on .NET, making them the latest to correct it.

The problem was first researched and exposed in 2003, but later research has discovered the issue on a wider scale, including most of the mainstream web development platforms deployed today.

At issue is the POST function, which can attacked to trigger a DoS. According to n.runs AG, the firm that reported on the issue, the usage of hash tables in Perl and CRuby was found vulnerable to collisions in 2003, prompting the platforms introduce randomization in order to address the issue.

Today, the same condition of collision has been discovered to impact PHP 5, Java, .NET, and Google’s v8, while PHP 4, Ruby, and Python are somewhat vulnerable.

“Any website running one of the above technologies which provides the option to perform a POST request is vulnerable to very effective DoS attacks. As the attack is just a POST request, it could also be triggered from within a (third-party) website. This means that a cross-site-scripting vulnerability on a popular website could lead to a very effective DDoS attack (not necessarily against the same website),” the n.runs AG report explains.

The initial n.runs AG research is here.

The Ruby, Tomcat, and PHP security teams have addressed the issue, with new releases and mitigations. Oracle hasn’t made any moves to address the problem, and Microsoft went out-of-band to release a patch for the issue on Thursday.

“While we have seen no attacks attempting to exploit this vulnerability, we encourage affected customers to test and deploy the update as soon as possible,” Microsoft said in a statement.

During the 28th CCC conference in Germany (28c3), Alexander Klink and Julian Wälde discuss the vulnerability. The video is available here, and worth the time spent watching if you’re a developer or systems administrator.

“We consider Microsoft's reaction and implementation speed outstanding, as they were only notified at the tail end of the German security researchers work,” noted Qualys’ Wolfgang Kandek.

“The bulletin fixes the DOS attack vector by providing a limit to the number of variables that can be submitted for a single HTTP POST request. The default limit is 500, which should be enough for normal web applications, but still low enough to neutralize the attack as described by the security researchers in Germany. This addresses the most obvious attack method immediately and leaves the reimplementation of the hash function for a future update.”

Around the Web

Comment on this Story

comments powered by Disqus


Chevrolet shows off the 2015 Colorado with digital experience

Chevrolet has launched a new website to show buyers all the bells and whistles available on ...

Mazda to debut CX-3 and MX-5 at Los Angeles Auto Show

Mazda has announced plans to premiere the new Mazda CX 3, its new compact crossover SUV, at ...

Ford issues safety recall for 204,448 Ford Edge and Lincoln MKX

Ford has issued a safety recall for 204,448 of the 2007-2008 Ford Edge and Lincoln MKX in No...

Mopar Previews SEMA Custom Rides

We have added a set of pictures released by Mopar ahead of the SEMA Show. Mopar are bri...

Audi R8 Competition – The Most Powerful Production Audi Ever

Audi has revealed details of their new super-fast Audi R8 Competititon — the most powerful a...