In its security advisory, Microsoft said that the vulnerability affects ASP.NET versions 1.1 and above on all supported versions of the .NET framework.
“The new method of hash collision attacks used to exploit this vulnerability is an industry-wide issue affecting various web platforms, including ASP.NET”, wrote Dave Forstrom, director of Microsoft Trustworthy Computing, in a recent blog.
Microsoft said it is currently unaware of any attacks targeting ASP.NET, but it encouraged affected customers to test and deploy the update as soon as possible. The company said that consumers are not vulnerable unless they are running a web server from their computer.
Independent researchers Alexander Klink and Julian Waelde uncovered the vulnerability and described it in a notice to vendors.
“Hash tables are a commonly used data structure in most programming languages. Web application servers or platforms commonly parse attacker-controlled POST form data into hash tables automatically, so that they can be accessed by application developers. If the language does not provide a randomized hash function or the application server does not recognize attacks using multi-collisions, an attacker can degenerate the hash table by sending lots of colliding keys”, the notice explained.