'

Microsoft spotlights .NET flaw, offers workaround

Software vendor highlights vulnerability in Web sites serving ASP.NET pages that could lead to denial-of-service of attacks and suggests temporary fix ahead of releasing patch.

Microsoft has given notice of a vulnerability in its .NET framework which can lead to denial-of-service attacks against Web servers serving ASP.NET pages, in what is known as "hash collision attacks".

In an advisory issued Wednesday, the software maker said it was aware that detailed information had been published describing the hash collision attacks. It noted: "[The vulnerability] affects all versions of Microsoft .NET framework and could allow for an unauthenticated denial-of-service attack on servers that serve ASP.NET pages.

"It is possible for an attacker to send a small number of specially crafted posts to an ASP.NET server, causing performance to degrade significantly enough to cause a denial-of-service condition."

Redmond said sites that only serve static content or disallow certain dynamic content types are not vulnerable, and added that it was not aware of any active attacks.

As a workaround, Microsoft suggested Web operators configure the limit of the maximum request size that ASP.NET will accept from a client as it will decrease the susceptibility of such attacks. The software giant will also release a patch once it completes its investigation.