Microsoft Ends Year With First Emergency Patch
Microsoft (NSDQ:MSFT) Thursday released its first emergency patch (work around) of the year to fix a critical vulnerability that would make it relatively easy to take down a Web site built with the company's ASP.NET application framework. Microsoft determined that the flaw was serious enough to warrant a fix outside the company's normal release schedule of the second Tuesday of each month. The latest patch, the first out-of-cycle fix this year, brought the number of security bulletins issued in 2011 to 100, compared to 106 last year.
Microsoft released a workaround for the flaw on Wednesday, as a stopgap measure until a permanent fix was available. An attacker could exploit the vulnerability to take down a site by consuming all CPU resources on a Web server or cluster of servers. To do that, the hacker would only need to send a series of specially crafted, 100 KB HTTP requests. Because of the flaw, each request would consume 100 percent of one CPU core.