
This article is more than 1 year old
Microsoft announces ASP.NET zero-day vuln
Workaround ahead of patch
Just in case anybody’s got a BOFH working at the moment, pay attention: Microsoft has released a security advisory covering a zero-day vulnerability in ASP.NET.
“The vulnerability exists due to the way that ASP.NET processes values in an ASP.NET form post causing a hash collision,” the advisory says. The vulnerability exposes users to denial-of-service attacks.
An attacker could craft an HTTP request containing thousands of form values, which would consume all of the CPU resources of the target machine. Sites serving only static pages are not vulnerable to the attack. “Sites that disallow application/x-www-form-urlencoded or multipart/form-data HTTP content types are not vulnerable”, the advisory states.
Microsoft is not yet aware of any exploits in the wild.
As a workaround ahead of the patch, according to the advisory, is to set a limit to the size of HTTP request the server will accept. ®
Narrower topics
- 2FA
- Active Directory
- Advanced persistent threat
- Application Delivery Controller
- Authentication
- Azure
- BEC
- Bing
- Black Hat
- BSides
- BSoD
- Bug Bounty
- CHERI
- Common Vulnerability Scoring System
- Cybercrime
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- DDoS
- DEF CON
- Digital certificate
- Encryption
- Excel
- Exchange Server
- Exploit
- Firewall
- Hacker
- Hacking
- Hacktivism
- HoloLens
- Identity Theft
- Incident response
- Infosec
- Internet Explorer
- Kenna Security
- Microsoft 365
- Microsoft Build
- Microsoft Edge
- Microsoft Ignite
- Microsoft Office
- Microsoft Surface
- Microsoft Teams
- NCSAM
- NCSC
- .NET
- Office 365
- OS/2
- Outlook
- Palo Alto Networks
- Password
- Patch Tuesday
- Phishing
- Pluton
- Quantum key distribution
- Ransomware
- Remote Access Trojan
- REvil
- RSA Conference
- SharePoint
- Skype
- Spamming
- Spyware
- SQL Server
- Surveillance
- TLS
- Trojan
- Trusted Platform Module
- Visual Studio
- Visual Studio Code
- Vulnerability
- Wannacry
- Windows
- Windows 10
- Windows 11
- Windows 7
- Windows 8
- Windows Server
- Windows Server 2003
- Windows Server 2008
- Windows Server 2012
- Windows Server 2013
- Windows Server 2016
- Windows Subsystem for Linux
- Windows XP
- Xbox
- Xbox 360
- Zero trust
Broader topics
More about
Narrower topics
- 2FA
- Active Directory
- Advanced persistent threat
- Application Delivery Controller
- Authentication
- Azure
- BEC
- Bing
- Black Hat
- BSides
- BSoD
- Bug Bounty
- CHERI
- Common Vulnerability Scoring System
- Cybercrime
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- DDoS
- DEF CON
- Digital certificate
- Encryption
- Excel
- Exchange Server
- Exploit
- Firewall
- Hacker
- Hacking
- Hacktivism
- HoloLens
- Identity Theft
- Incident response
- Infosec
- Internet Explorer
- Kenna Security
- Microsoft 365
- Microsoft Build
- Microsoft Edge
- Microsoft Ignite
- Microsoft Office
- Microsoft Surface
- Microsoft Teams
- NCSAM
- NCSC
- .NET
- Office 365
- OS/2
- Outlook
- Palo Alto Networks
- Password
- Patch Tuesday
- Phishing
- Pluton
- Quantum key distribution
- Ransomware
- Remote Access Trojan
- REvil
- RSA Conference
- SharePoint
- Skype
- Spamming
- Spyware
- SQL Server
- Surveillance
- TLS
- Trojan
- Trusted Platform Module
- Visual Studio
- Visual Studio Code
- Vulnerability
- Wannacry
- Windows
- Windows 10
- Windows 11
- Windows 7
- Windows 8
- Windows Server
- Windows Server 2003
- Windows Server 2008
- Windows Server 2012
- Windows Server 2013
- Windows Server 2016
- Windows Subsystem for Linux
- Windows XP
- Xbox
- Xbox 360
- Zero trust