Microsoft releases emergency patch for web application platforms

Microsoft has released an emergency patch to address a vulnerability in its web application framework ASP.NET.

The framework allows developers to build dynamic web services and applications, and Microsoft said that the vulnerability enables denial-of-service attacks on servers hosting services built with it.

"This vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even on a cluster of web servers," wrote Microsoft engineers Suha Can and Jonathan Ness on the firm's security blog.

"For ASP.NET in particular, a single specially crafted request can consume 100 per cent of one CPU core for between 90 and 110 seconds. An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial of service condition for even multi-core servers or clusters of servers," they added.

Microsoft also advised ASP.NET web site owners that they can mitigate the problem pre-patch, by limiting the size of request users can make to their site.

"Attackers would need to send (relatively) large HTTP requests to exploit the vulnerability. So if your web site does not normally need to accept large requests from legitimate users, you can configure ASP.NET to reject all requests larger than a certain size."

However, the engineers warned that this could block some legitimate users.

"Note that if your web site does need to accept user uploads, this workaround is likely to block legitimate requests. In that case, you should not use this workaround and instead wait for the comprehensive security update."

The vulnerability also affects several other languages and platforms, including Java, Ruby, Apache Tomcat and the V8 JavaScript engine.

The security researchers who first brought the issue to Microsoft's attention have also released a paper on the vulnerability, which includes their own suggested workarounds.