Websites, apps vulnerable to low-bandwidth, bot-free takedown, say researchers

[InfoSec News <alerts () infosecnews org>]

http://www.computerworld.com/s/article/9223069/Websites_apps_vulnerable_to_low_bandwidth_bot_free_takedown_say_researchers

By Gregg Keizer
Computerworld
December 29, 2011

Hackers armed with a single machine and a minimal broadband connection 
can cripple Web servers, researchers disclosed Wednesday, putting 
uncounted websites and Web apps at risk from denial-of-service attacks.

In a security advisory issued the same day, Microsoft, whose ASP .Net 
programming language is one of several affected by the flaw, promised to 
patch the vulnerability and offered customers ways to protect their 
servers until it releases an update.

In a follow-up message, Microsoft announced it was shipping an 
"out-of-band," or emergency update today. The update was released at 1 
p.m. ET. Designated MS11-100, it also fixed three other bugs in ASP 
.Net, one tagged "critical." None of those three had been disclosed 
publicly prior to today.

The problem that caused a stir in the security community exists in many 
of the Web's most popular application and site programming languages, 
including ASP .Net, the open-source PHP and Ruby, Oracle's Java and 
Google's V8 JavaScript, according to two German researchers, Alexander 
Klink and Julian Walde.

Klink and Walde, who presented their findings at the Chaos Communication 
Congress (CCC) conference in Berlin on Wednesday, traced the flaw to 
those languages' -- and others' -- handling of hash tables, a 
programming structure used to quickly store and retrieve data.

[...]


_____________________________________________________
Subscribe to InfoSec News - www.infosecnews.org
http://www.infosecnews.org/mailman/listinfo/isn