Microsoft is issuing an emergency security update for a critical flaw that affects all currently supported versions of Windows and Windows Server and could be used for a denial of service attack.
According to the notification on the software giant’s Technet website, the flaw allows for an “elevation of privilege”. Microsoft software developer Scott Guthrie wrote on his blog that the update “resolves a publicly disclosed denial of service issue present in all versions of ASP.NET”. He said the flaw, published at a security conference on 28 December, refers to a vulnerability known as “hash collision attacks”.
In such a situation, hackers target hash tables in the data structure of web frameworks such as ASP.NET, causing a server application to spend overly long processing the requests at the expense of other users, effectively blocking the responsiveness of the site, according to Guthrie’s explanation.
The vulnerability affects Windows 7, Vista and XP, as well as Windows Server 2008, 2008 R2 and 2003. Microsoft recommends that users apply the security update as soon as it is available, and said it does not require changes to code or applications.
Microsoft typically releases security updates once a month as part of its “Patch Tuesday” process, but this particular vulnerability has been deemed serious enough to warrant an emergency release outside of the normal schedule.
The supplier’s most recent December update included 14 security bulletins covering 20 vulnerabilities. Out of the 14, three were of the highest critical severity level, and affected Windows XP, Vista and Windows 7, although only one applied to Windows 7.