Patches: >.<

by Caezar M

Summary:

In the classic story that we CANNOT do anything right the first time it was announced that a patch for ASP.NET actually doesn’t help security that much at all. Microsoft released a patch that was supposed to resolve security issues for  ASP.NET and right after a hacker published a vulnerability on how to create havoc within those servers causing massive Denial of Service (DoS). now when we normally think of DoS we think that someone using massive ammounts of infected computers to simultaniously request information from one source causing the server to crash. well….this is not as cool but infinitely more effective. so basically this patch allows for a HTTP request of ~100kb to consume 100% ….wait can i modify text in here?…..

100% OF 1 CORE OF SERVER COMPUTING POWER FOR OVER A MINUTE

(thats better) This is unacceptable. BUT WAIT (always wanted to say that) its not limited to one core, if you repetedly do this you will consume more resources of more cores (if the server is multi-core) and even over the span of server clusters. microsoft has addressed this issue and released another patch that will remedy the situation but it just goes to show you that no matter how hard you try there is always someone looking over your shoulder trying to find a way to make a mess out of all your hard work

response:

this article is about ASP.NET and it outlines the vulerabilities of a specific patch that microsoft released that caused more dammage than it was probobly trying to solve. overall no matter how much you try to make anything like a fortress you will never succeed, someone will always try to find a way to penetrate your walls and cause as much dammage as they can. we have seen it over the years in real life and its a reality everyday on the internet. i wonder about the phycology of the people who actually do this, are they bored? crazy? mad? maybe a combination of all three but why would you dedicate so much time into making others lives harder than they need to be. i am reminded of the dichotomy of weapon makers and armor makers. i might have said this before but i will outline it again. the stronger you make your defenses the more creative the weapon makers have to be to make something to penetrate it. vice versa the more powerful the weapons of the day the more creative you have to be about protecting yourself. so maybe it is in human nature to want to destroy someone or something but at least it still holds true that “nobody can be truely happy unless they hate someone else”

Lucian Constantin. (2012, January 10). Attack Code Published for Serious ASP.NET DoS Vulnerability. PCWorld. Retrieved February 16, 2012, from http://www.pcworld.com/businesscenter/article/247731/attack_code_published_for_serious_aspnet_dos_vulnerability.html

1 thought on “Patches: >.<”

  1. This was a very entertaining article. I still think they should hire all the hackers to work for them and Pen test day and night. Unfortunately I highly doubt they will ever want to work for Microsoft!

Comments are closed.