The Tech Herald

Microsoft releases patch for hash collision DoS

by Steve Ragan - Dec 30 2011, 00:35

Microsoft releases patch for hash collision DoS.(IMG:J.Anderson)

Microsoft and several other platform developers have either addressed, or are currently working to resolve, a hash collision problem, which if exploited can trigger a denial-of-service condition. On Thursday, Microsoft pushed an emergency patch to address the issue on .NET, making them the latest to correct it.

The problem was first researched and exposed in 2003, but later research has discovered the issue on a wider scale, including most of the mainstream web development platforms deployed today.

At issue is the POST function, which can attacked to trigger a DoS. According to n.runs AG, the firm that reported on the issue, the usage of hash tables in Perl and CRuby was found vulnerable to collisions in 2003, prompting the platforms introduce randomization in order to address the issue.

Today, the same condition of collision has been discovered to impact PHP 5, Java, .NET, and Google’s v8, while PHP 4, Ruby, and Python are somewhat vulnerable.

“Any website running one of the above technologies which provides the option to perform a POST request is vulnerable to very effective DoS attacks. As the attack is just a POST request, it could also be triggered from within a (third-party) website. This means that a cross-site-scripting vulnerability on a popular website could lead to a very effective DDoS attack (not necessarily against the same website),” the n.runs AG report explains.

The initial n.runs AG research is here.

The Ruby, Tomcat, and PHP security teams have addressed the issue, with new releases and mitigations. Oracle hasn’t made any moves to address the problem, and Microsoft went out-of-band to release a patch for the issue on Thursday.

“While we have seen no attacks attempting to exploit this vulnerability, we encourage affected customers to test and deploy the update as soon as possible,” Microsoft said in a statement.

During the 28th CCC conference in Germany (28c3), Alexander Klink and Julian Wälde discuss the vulnerability. The video is available here, and worth the time spent watching if you’re a developer or systems administrator.

“We consider Microsoft's reaction and implementation speed outstanding, as they were only notified at the tail end of the German security researchers work,” noted Qualys’ Wolfgang Kandek.

“The bulletin fixes the DOS attack vector by providing a limit to the number of variables that can be submitted for a single HTTP POST request. The default limit is 500, which should be enough for normal web applications, but still low enough to neutralize the attack as described by the security researchers in Germany. This addresses the most obvious attack method immediately and leaves the reimplementation of the hash function for a future update.”

Around the Web

Comment on this Story

comments powered by Disqus


2015 Dodge Challenger Pictures and Specs

Great pictures and spec details of the 2015 Dodge Challenger Here are some incredible pictur...

Mercedes-Benz S63 AMG 4MATIC Coupe Pictures and Specs

Check out these awesome pictures of the new Mercedes-Benz S63 AMG 4MATIC Coupe, which was re...

2014 New York Auto Show Pictures – Day One

Here are a selection of the main cars unveiled on the first day of the 2014 New York Auto Sh...

2014 Rolls-Royce Ghost Series 2 Pictures

Rolls-Royce have released a string of pictures of the Rolls-Royce Series II, unveiled at the 2014 ...

Gymkhana star Ken Block and Neymar’s Footkhana Video Teaser

Rally legend Ken Block, star of the famous Gymkhana video series, is releasing a new video to celb...