[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] Websites, apps vulnerable to low-bandwidth, bot-free takedown, say researchers
By Gregg Keizer
December 29, 2011
Hackers armed with a single machine and a minimal broadband connection
can cripple Web servers, researchers disclosed Wednesday, putting
uncounted websites and Web apps at risk from denial-of-service attacks.
In a security advisory issued the same day, Microsoft, whose ASP .Net
programming language is one of several affected by the flaw, promised to
patch the vulnerability and offered customers ways to protect their
servers until it releases an update.
In a follow-up message, Microsoft announced it was shipping an
"out-of-band," or emergency update today. The update was released at 1
p.m. ET. Designated MS11-100, it also fixed three other bugs in ASP
.Net, one tagged "critical." None of those three had been disclosed
publicly prior to today.
The problem that caused a stir in the security community exists in many
of the Web's most popular application and site programming languages,
including ASP .Net, the open-source PHP and Ruby, Oracle's Java and
Klink and Julian Walde.
Klink and Walde, who presented their findings at the Chaos Communication
Congress (CCC) conference in Berlin on Wednesday, traced the flaw to
those languages' -- and others' -- handling of hash tables, a
programming structure used to quickly store and retrieve data.
Subscribe to InfoSec News - www.infosecnews.org