Code Published that exposed ASP.NET DoS Vulnerability{2}


The Exploit code for a patched Denial-of-Service (DoS) vulnerability which affected Microsoft’s ASP.NET Web development platform was recently published online.  This means an increase of risks because not all people in charge of servers update or automatically update each server.  The code was identified as CVE-2011-3414, was talked about in Europe’s largest hacker conference, where after Microsoft published a security advisory and released a patch for the flaw.  According to two Microsoft Security Response Center (MSRC) engineers, “This vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even a cluster of web servers”.  They also stated, “For ASP.NET in particular, a single specially crafter ~100kb HTTP request can consume 100% of one CPU core for between 90 — 110 seconds.  An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial of service condition for even multi-core servers or clusters of servers.” A user that goes by the name ‘HybrisDisaster’ published a proof-of-concept (PoC) exploit for the vulnerability on GitHub, a platform that hosts open source development projects.  He left some notes encouraging people to download it and use it, and signs off with “We are Legion. Expect us,” a slogan used by the Anonymous hacking group.

I found this article to be interesting and relating to class since in the last few weeks of class we are going to be developing ASP.NET websites with Visual Basic.  I know that it is going to be nearly impossible to create a website or a web server offering services be completely protected, but all of the issues we hear about on a monthly if not weekly basis are astonishing.  Some of the biggest companies are not prepared enough for intrusion or attacks.  They are trusted and responsible for maintaining and storing our personal information, and when they allow a group of hackers to look at and even download that information, they put all of us at risk.  As a computer information systems major, I guess that I could look forward to a future that is more secure and maybe someday I can be part of the move towards security.

Constantin, L. (2012, January 10). Attack code published for serious asp.net dos vulnerability. Retrieved from www.pcworld.com/businesscenter/article/247731/attack_code_published_for_serious_aspnet_dos_vulnerability.html