The Tech Herald

Microsoft releases patch for hash collision DoS

by Steve Ragan - Dec 30 2011, 00:35

Microsoft releases patch for hash collision DoS.(IMG:J.Anderson)

Microsoft and several other platform developers have either addressed, or are currently working to resolve, a hash collision problem, which if exploited can trigger a denial-of-service condition. On Thursday, Microsoft pushed an emergency patch to address the issue on .NET, making them the latest to correct it.

The problem was first researched and exposed in 2003, but later research has discovered the issue on a wider scale, including most of the mainstream web development platforms deployed today.

At issue is the POST function, which can attacked to trigger a DoS. According to n.runs AG, the firm that reported on the issue, the usage of hash tables in Perl and CRuby was found vulnerable to collisions in 2003, prompting the platforms introduce randomization in order to address the issue.

Today, the same condition of collision has been discovered to impact PHP 5, Java, .NET, and Google’s v8, while PHP 4, Ruby, and Python are somewhat vulnerable.

“Any website running one of the above technologies which provides the option to perform a POST request is vulnerable to very effective DoS attacks. As the attack is just a POST request, it could also be triggered from within a (third-party) website. This means that a cross-site-scripting vulnerability on a popular website could lead to a very effective DDoS attack (not necessarily against the same website),” the n.runs AG report explains.

The initial n.runs AG research is here.

The Ruby, Tomcat, and PHP security teams have addressed the issue, with new releases and mitigations. Oracle hasn’t made any moves to address the problem, and Microsoft went out-of-band to release a patch for the issue on Thursday.

“While we have seen no attacks attempting to exploit this vulnerability, we encourage affected customers to test and deploy the update as soon as possible,” Microsoft said in a statement.

During the 28th CCC conference in Germany (28c3), Alexander Klink and Julian Wälde discuss the vulnerability. The video is available here, and worth the time spent watching if you’re a developer or systems administrator.

“We consider Microsoft's reaction and implementation speed outstanding, as they were only notified at the tail end of the German security researchers work,” noted Qualys’ Wolfgang Kandek.

“The bulletin fixes the DOS attack vector by providing a limit to the number of variables that can be submitted for a single HTTP POST request. The default limit is 500, which should be enough for normal web applications, but still low enough to neutralize the attack as described by the security researchers in Germany. This addresses the most obvious attack method immediately and leaves the reimplementation of the hash function for a future update.”

Around the Web

Comment on this Story

comments powered by Disqus


Ferrari California T voted Most Beautiful Sports Car in China

  Ferrari’s California T has picked up the Sports Car of year award in the Most Beautif...

‘Self-cleaning’ Car from Nissan

Say goodbye to washing the car on a Sunday afternoon? Well maybe not quite and not quite sel...

Michelle Rodriguez Pulls Cool Bikini Headstand with Bugatti

Actress Michelle Rodriguez has posted a photo on her Instagram page of herself performing a ...

Student wins $5000 for Corvette Snap

Dan Wang, a student at Rochester Institue of Technology, has picked up a $5000 cheque for hi...

2015 Mini Paceman Pictures

Mini have released pictures of their 2015 Mini Paceman after it was unveiled at the Beijing Motor ...