Qualys Blog

www.qualys.com
2 posts

Microsoft Releases MS11-100 for ASP.NET DoS Attack

Today Microsoft released a security bulletin addressing a flaw in ASP.NET that was disclosed early morning yesterday at the Chaos Communication Congress (CCC) in Berlin. Microsoft tested and finished MS11-100 in record time, taking about 30 days for the process of integrating this new vulnerability with the fix that was already scheduled for January 2012. We consider Microsoft’s reaction and implementation speed outstanding, as they were only notified at the tail end of the German security researchers work. We will be tracking how the other projects and vendors affected (PHP, Oracle, Phython, Ruby and others) are rolling out their patches.

The bulletin fixes the DoS attack vector by providing a limit to the number of variables that can be submitted for a single HTTP POST request. The default limit is 1000 which should be enough for normal web applications, but still low enough to neutralize the attack as described by the security researchers in Germany. This addresses the most obvious attack method immediately and leaves the reimplementation of the hash function for a future update.

Overall the bulletin addresses four issues. CVE-2011-3416 is an ASP.Net Forms Authentication Bypass issue which is rated as critical. CVE-2011-3414 is the hash table collision DoS issue discussed above and is rated as important. CVE-2011-3417 is the ASP.NET Ticket Caching vulnerability which is also rated as important. And finally CVE-2011-3415 is the Insecure Redirect vulnerability which is rated as moderate. We recommend installing as soon as possible if you have web based infrastructure that uses ASP.NET.

Resources:

Microsoft Advisory on client side XSS – 2501696

Today Microsoft published today Security Advisory 2501696 describing a vulnerability (CVE-2011-0096) in the MHTML handler present on all versions of Windows. The vulnerability allows the execution of an XSS attack from a webpage going through Internet Explorer.

The XSS attack can be used to run JavaScript code on the user’s Internet Explorer instance, which gives the attacker a way to get at information stored in the browser and a mechanism to trick users into installing unwanted code through social engineering.

The advisory 2501696 describes a work around that disables scripting inside the MHTML handler by setting the corresponding keys in the Windows registry. We expect the release of a FixIt to automate the application of the work around for security conscious end users.

The vulnerability was originally disclosed on the WooYun website The same site disclosed in December a vulnerability in the CSS handler of Internet Explorer "css.css" (CVE-2010-3971). The vulnerability has been acknowledged by Microsoft and Security Advisory 2488013 includes a workaround and a FixIt link to apply.

While the vulnerability is located in a Windows component Internet Explorer is the only known attacker vector. Firefox and Chrome are not affected in their default configuration, as they do not support MHTML without the installation of specific add-on modules.

Microsoft’s SRD blog has a detailed description of the attack and provides HTML files for local testing.