Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Websites, apps vulnerable to low-bandwidth, bot-free takedown, say researchers

Gregg Keizer | Dec. 30, 2011
Hackers armed with a single machine and a minimal broadband connection can cripple Web servers, researchers said Wednesday. Microsoft today shipped an emergency update to fix the flaw.

Can and Ness of Microsoft said that the company "anticipate[s] the imminent public release of exploit code," and urged ASP .Net customers to apply the patch or the workarounds described in the advisory.

Other programming language developers have already offered fixes to their software.

Ruby, for instance, has issued an update that includes a new randomized hash function, while PHP has shipped a release candidate for version 5.4.0 .

Some, however, will take their time implementing a fix, said Klink and Walde. Oracle told them there wasn't anything to patch in Java itself, but said it would update the GlassFish Java server software with a future fix.

Klink and Walde credited another pair of researchers -- Scott Crosby and Dan Wallach -- for outlining the attack vector in 2003, and applauded the Perl programming language for patching its flaw then.

During their presentation at CCC, Klink and Walde chastised other vendors for not tackling the problem years ago.

"I'd have to agree that we all expected vendors to have fixed this by now," said Storms. "On the other hand, there is a lot of research out there and its not always possible to be on top of everything. It's not as though this kind of attack has been ongoing in the wild since 2003 and everyone refused to fix it."

Klink and Walde reported their research to oCERT -- the Open Source Computer Security Incident Response Team -- last September. The organization then contacted the various vendors responsible for the affected languages.

oCERT issued its own advisory Wednesday.

Today's patch from Microsoft is its first out-of-band update during 2011. Last year, the company pushed out four emergency updates.

Storms, who had praised Microsoft earlier this month for not having to go out-of-band, noted today that he had issued a caveat even then. "I did say at the December Patch Tuesday that they had a few weeks to go before the year was over," Storms said in an instant message.

Microsoft delivered MS11-100 via its usual Windows Update and Windows Server Update Service (WSUS) channels.

More information about the hash collision flaw can be found in the advisory Klink published on his company's website, and in the notes from their presentation ( download PDF ). Although videos of the Klink and Walde CCC talk were available on YouTube for a time Wednesday, they have since been pulled from the site.


Previous Page  1  2 

Sign up for Computerworld eNewsletters.