Microsoft Ruins Perfect Record with Out-of-Band Patch

It was so close. Microsoft made it 363 days in 2011 without releasing an update outside of the monthly Patch Tuesday cycle. It was also 48 hours away from finishing 2011 in double-digits for security bulletins. But, on December 29, Microsoft pushed out an out-of-band patch — MS11-100.

Researchers recently revealed a flaw that exists in a wide variety of Web application platforms, including Python, PHP, ASP.NET, and others. It is an insidiously simple attack that can bring a Web server to its knees by consuming all of the processing power and effectively creating a denial-of-service (DoS).

Andrew Storms, director of security operations for nCircle, explains, This isnt your average DoS attack because it doesnt take a botnet or a lot of coordination to take a web server down. Most DoS attacks rely on a huge number of small requests targeted at a specific web server to overwhelm it. In this case, a single request can consume a single core for 90 seconds. Queue up a few of these requests every few minutes and the site will be essentially knocked offline.

Dave Forstrom, director, Microsoft Trustworthy Computing, announced, Today, Microsoft released MS11-100 to protect customers against the industry-wide issue described in Security Advisory 2659883.

Forstrom adds that Microsoft is not currently aware of any attacked targeting ASP.NET. However, Microsoft considers the threat to be credible and urgent enough that it released an out-of-band patch to address it, and Microsoft urges customers to implement the patch as quickly as possible.

Wolfgang Kandek, CTO of Qualys, notes that Microsoft developed and released this patch with lightning speed. Apparently there was a .NET framework patch already in progress for the January Patch Tuesday, and Microsoft was able to roll this fix into the work it was already doing and rush it out the door.

Kandek states in a blog post, We consider Microsoft’s reaction and implementation speed outstanding, as they were only notified at the tail end of the German security researchers work. We will be tracking how the other projects and vendors affected (PHP, Oracle, Python, Ruby and others) are rolling out their patches.

And with that, Microsoft hits 100 security bulletins for the year. It is lower than the 106 in 2010, but doesnt have the same sense of accomplishment that would have come with staying in double-digits. More importantly, patch 100 breaks the perfect record of sticking to the regularly monthly release schedule.

nCircles Storms sympathizes, I’m sure a few people on Microsoft’s security team are packing up the champagne that was ready for that end of year victory toast.

Storms has a little good news / bad news to sum up. He points out that the holiday shopping season is over, which reduces the potential impact. But, the flip side of that is that most businesses are closed down or at least running skeleton crews this week, which will make it difficult to get the patch tested and deployed as quickly as necessary.