Microsoft Warns of Widespread Windows Flaw
February 10, 2004
Robert Lemos, Staff Writer, CNET News.com
Microsoft has a message for Windows users: Patch your
computers quickly.
On Tuesday, the software giant released a fix for a
networking flaw that affects every computer running Windows
NT, Windows 2000, Windows XP or Windows Server 2003. If
left unpatched, the security hole could allow a worm to
spread quickly throughout the Internet, causing an incident
similar to the MSBlast attack last summer.
"There are more attack vectors and more people that could
be affected by this," said Marc Maiffret, chief hacking
officer for eEye Digital Security, the software firm that
warned Microsoft of the vulnerability more than six months
ago.
This is the second time this month that Microsoft has
warned users of a security flaw. The company has a new
policy of announcing vulnerabilities and releasing patches
on the second Tuesday of each month, unless a critical flaw
needs to be released immediately.
Last week, the software maker revealed a security flaw in
Internet Explorer and issued a patch.
The latest flaw exists in Microsoft's implementation of a
basic networking protocol known as Abstract Syntax Notation
One, or ASN.1. The code is shared by many Windows
applications, and if left unpatched, it causes each program
that uses the code to be an entry point into the operating
system for an attacker.
Such widespread vulnerabilities are most tempting for the
underground coders who create worms such as MSBlast--also
known as Blaster--and Slammer, both of which took advantage
of widespread Windows flaws.
The vulnerability could allow a remote user to take control
of a computer running a version of the Windows operating
system that hasn't been patched, according to the advisory
posted on Microsoft's Web site. Exploiting the flaw is much
easier if the attacker can access a local network, the
advisory noted.
The flaw bears a resemblance to the one that allowed
MSBlast to spread in August 2003, said Stephen Toulouse,
security program manager at Microsoft's security response
center.
"It is relatively similar in terms of the number of
computers it could affect," he said, adding that the flaw
"is in all versions of Windows."
Created by Xerox and standardized in 1984, ASN.1 is a way
to describe networking data and protocols, said Bancroft
Scott, president of OSS Nokalva, an ASN.1 tools developer.
"Twenty years ago, people frequently reinvented the wheel
when they wanted to pass data," he said in a January
interview on the subject of ASN.1. "There was no way to
describe the data that you were going to send."
ASN.1 changed that, allowing developers to describe data in
an abstract language. However, developers of tools for
creating network protocols and software from those
descriptions frequently didn't consider that Internet
attackers would use the channel as a way to break into
computers, Scott said.
"These technologies, such as Windows, don't have anything
to do with ASN.1, and yet they are breaking," he said.
The widespread use of ASN.1 has led many security
researchers to label it a possible "monoculture"--a
population so homogeneous that a single threat could
destroy it. A recent trend in the computer security world
is the recognition that vulnerabilities in common
technologies can have widespread effects. A flaw in the
Simple Network Management Protocol, a widely used way to
communicate between network hardware, was due to an ASN.1
implementation error.
eEye's Maiffret was critical of Microsoft for taking so
long to issue the patch.
"Two hundred days to fix this," Maiffret said. "It is
obviously ridiculous."
Microsoft's Toulouse said the fix took so long to create
because of the difficulties posed by such a pervasive
technology.
"ASN.1 is really an extremely deep...technology in Windows
itself," he said. "This investigation required us to
evaluate several different aspects. This is an instance
where we really had to do our due diligence."
http://www.nytimes.com/cnet/CNET_2100-7355_3-5156647.html?ex=1077448618&ei=1&en=65edaae847459f53