File this one under a sarcastic “Thanks alot“. Imagine you are a company creating a widely used backend web development software. Someone releases a study that says, “This is only theory, but we’re pretty sure we can breaks your interwebs site by dancing like a koala bear.” These people include all kinds of documentation to support that dancing like a koala bear is serious trouble for web applications. Well, if it were me, I would make sure my software comes with some heavy duty anti-koala bear defenses. Apparently, however, if you are a multi-billion dollar corporation in Redmond, Washington, you just ignore these kind of things – or you really like koalas and don’t want to hurt them. In this case, I’m going to go with the former.
ComputerWorld reported how an exploit was discussed by Klink and Walde during the Chaos Communication Conference a few weeks prior. Based on research from a 2003 paper, Klink and Walde demonstrated how a low-bandwidth attack could be initiated without the use of bots to take down entire websites – an attack equivalent to that of a full fledged denial of service attack. This attack utilizes the high CPU load needed to handle various hashing techniques to create a unbearable load on the server with minimal requests. Although the exploit requires a web application to utilize hash tables to even be vulnerable, it was found that various parts of auto-generated forms and its data in ASP .NET utilize these hashes, and thus was easily exploited.
Other languages, such as Ruby and PHP, were also vulnerable to this exploit. Ruby immediately released a patch to help combat the issue, while PHP made modifications to a future release. However, these releases were not critical as hashing is not as frequently used nor utilized by default in these languages.
Bravo, Microsoft. Bravo.
