Microsoft releases emergency critical security patch


Microsoft releases emergency critical security patch

Bryan Glick

Microsoft is issuing an emergency security update for a critical flaw that affects all currently supported versions of Windows and Windows Server and could be used for a denial of service attack.

According to the notification on the software giant’s Technet website, the flaw allows for an “elevation of privilege”. Microsoft software developer Scott Guthrie wrote on his blog that the update “resolves a publicly disclosed denial of service issue present in all versions of ASP.NET”. He said the flaw, published at a security conference on 28 December, refers to a vulnerability known as “hash collision attacks”.

In such a situation, hackers target hash tables in the data structure of web frameworks such as ASP.NET, causing a server application to spend overly long processing the requests at the expense of other users, effectively blocking the responsiveness of the site, according to Guthrie’s explanation.

The vulnerability affects Windows 7, Vista and XP, as well as Windows Server 2008, 2008 R2 and 2003. Microsoft recommends that users apply the security update as soon as it is available, and said it does not require changes to code or applications.

Microsoft typically releases security updates once a month as part of its “Patch Tuesday” process, but this particular vulnerability has been deemed serious enough to warrant an emergency release outside of the normal schedule.

The supplier’s most recent December update included 14 security bulletins covering 20 vulnerabilities. Out of the 14, three were of the highest critical severity level, and affected Windows XP, Vista and Windows 7, although only one applied to Windows 7.

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy