Microsoft engineers on Thursday gave IT administrators a late Christmas present: a fix for an unpatched and publicly known vulnerability affecting the software giant's ASP.NET web application framework.
One day after disclosing the flaw, which affects ASP.NET versions 1.1 and later on all supported versions of the .NET Framework, Microsoft released an emergency patch, which also addresses three other bugs, all of which were privately reported.
"An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands," the bulletin from Microsoft said.
What makes the previously unpatched bug particularly worrisome is that it enables attackers to use limited means to launch a devastating denial-of-service (DoS) attack against web servers. According to Microsoft, "a single, specially crafted ~100kb HTTP request can consume 100 percent of one CPU core for between 90 to 110 seconds."
"The vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even a cluster of web servers [rendering ASP.NET pages]," Microsoft engineers Suha Can and Jonathan Ness wrote in a blog post on Wednesday. "An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial-of-service condition for even multi-core servers or clusters of servers."
So far, Microsoft is unaware of any active attacks taking advantage of the vulnerability, but experts say exploits are imminent.
And this is not just a Redmond issue. The means by which the flaw is exploited -- a new method of "hash collision" -- is an industry-wide problem and affects multiple platforms, Dave Forstrom, director of Microsoft Trustworthy Computing, said in a Thursday blog post.
"While we have seen no attacks attempting to exploit this vulnerability, we encourage affected customers to test and deploy the update as soon as possible," he wrote. "Consumers are not vulnerable unless they are running a web server from their computer."
The out-of-band patch from Microsoft comes roughly two weeks prior to its regularly scheduled security update.