Microsoft have released a rare out-of-band update to fix a vulnerability in the .NET Framework. The update comes weeks before the next regularly scheduled "Patch Tuesday" in mid-January, and addresses a flaw that could allow attackers to exploit hash tables to perform a denial-of-service (DoS) attack against a website built with Microsoft's ASP.NET application framework.
DoS attacks usually require thousands of malware-controlled systems in a botnet to overwhelm a site with requests. This opening would allow an attacker to cripple a vulnerable site by sending a certain type of HTTP request. Each of these requests would consume 100-percent of one CPU core. As you can imagine, the more of these requests, the more CPU power that is zapped away.
Microsoft says "Attacks targeting this type of vulnerability are generically known as hash collision attacks." They also added that the problem is not specific to Microsoft's Web services as it affects PHP 5, Java, .NET, v8 and even PHP 4, Ruby and Python. The people behind these platforms will release updates soon, but the holidays will dampen these efforts.