Microsoft’s monthly Patch Tuesday is not until January 10, but the company is not waiting to patch a critical flaw in computers with the ASP.NET framework installed. The issue affects all currently supported versions of Windows, according to a security bulletin from the company.
According to Microsoft’s description of the flaw, an issue exists in how the framework handles certain web request. If an attacker sends a request in a certain way, it could allow for elevation of privilege that may result in the execution of arbitrary code. The flaw is not easy to exploit, however, as the attacker needs to know some information about the victim.
“In order to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET site, and must know an existing user name”, Microsoft says. Regardless, it means IT administrators may find their holiday weekends a bit shortened as they rush to deploy the fix. Hackers know that IT monitoring is lax over the holidays, making this time of year perfect to launch attacks.
The issue also appears to pose a Denial-of-Service risk. Exploiting the vulnerability correctly may result in 100 percent of available CPU processes to be used up, which will allow for the attacker to take down an unpatched site in short order.
“The vulnerability exists because of the way that ASP.NET hashes specially crafted requests and inserts that data into a hash table causing a hash collision. When many of these collisions are chained together, the performance of the hash table is greatly degraded leading to the denial of service condition”, Microsoft explains.
This out-of-cycle patch follows a rather busy Patch Tuesday in December where the company issued 13 separate patches, including three critical fixes. Those patches fixed code execution risks in the Windows kernel, ActiveX, and Windows Media.