In a presentation („Efficient Denial of Service Attacks on Web Application Platforms“, Dec 28th 2011, PDF) at 28th Chaos Communication Congress in Berlin (#28c3) there have been published details on how to perform so called „hash collision attacks“ on webservers.
This does not only affect Microsoft technology (ASP.NET), but also Java, Python, Ruby, PHP, v8/node.js, …
Microsoft has already reacted and will release an out-of-band security update today.
For more details see:
- ScottGu’s Blog: ASP.NET Security Update Shipping Thursday, Dec 29th (en)
- Microsoft Security Advisory (2659883): Vulnerability in ASP.NET Could Allow Denial of Service (en)
- Microsoft Security Research & Defense: More information about the December 2011 ASP.NET vulnerability (en)
- TechNet Team Blog Austria: Workaround gegen Denial of Service Attacke in ASP.NET #hashDoS #28C3 (de)