Security

Microsoft Patches New Vulnerability, Worm Expected

It’s happening again. A major security vulnerability in Microsoft’s Windows operating system has security experts concerned about widespread attacks even though Microsoft has issued a patch for the problem — this time a security vulnerability in the widely used Abstract Syntax Notation (ASN.1) protocol.

Microsoft, which rated the vulnerability critical, said that by exploiting an unchecked buffer in the Microsoft ASN.1 Library, an attacker could gain complete control of a computer and take action that includes installing programs, changing or deleting data, and creating new user accounts with administrative privileges.

Microsoft has made a patch available for the flaw and pointed out that there are several potentially mitigating factors — such as the need for network access by an attacker — to make the vulnerability readily exploitable. However, security experts likened the flaw to the Remote Procedure Call (RPC) gap that facilitated the MS Blaster worm last year and warned that because of its wide use in a variety of servers, the ASN issue could be devastating.

“The ASN vulnerability has the potential to be perhaps one of the most widely exploited vulnerabilities in the history of computing — and I don’t say that lightly,” iDefense director of malicious code Ken Dunham told TechNewsWorld. “Why we’re so concerned is because ASN is so integrated into everything. It’s a widely used and relied-upon syntax notation in the Windows environment.”

Worm Likely

The ASN vulnerability — reported by eEye Digital Security and addressed this week with Microsoft’s monthly security updates — affects all Windows operating systems newer than Windows 98, including NT, 2000, XP and Server 2003. The basic, widely used ASN language is the basis of data communication across various platforms.

Gartner research vice president Richard Stiennon said the security hole is most likely to affect servers, such as Microsoft Internet Information Services (IIS) machines, and might result in a server-spreading worm similar to Code Red or Nimda.

“ASN.1 exposes vulnerable IIS servers over Secure Sockets Layer, so that’s a big problem,” Stiennon told TechNewsWorld. “There are tens of thousands of affected servers, and all your e-commerce sites are doing it, so you could have a worm spread among them. Anybody beyond Windows 98 who browses an infected server could be infected that way. That could be very Nimda-like.”

Stiennon, who correctly predicted the MS Blaster worm after the RPC vulnerability was disclosed, said there definitely will be a worm for the ASN hole and estimated it will emerge within a few weeks.

Exploits and Advantages

Indeed, iDefense’s Dunham reported that his company has tested and validated two exploits for the issue and said the vulnerability disclosure and subsequent discussion of it by underground groups followed a pattern similar to what led up to the Blaster and Code Red outbreaks.

Stiennon said there might be additional mitigating factors this time, however, adding that the Internet is “a lot less porous than it was last year when we saw Blaster.”

“This is very esoteric protocol for Microsoft, so not a lot of people are familiar with it,” Stiennon said of ASN. “And we’ve got an advantage from Slammer and MS Blaster, since a lot of organizations have fixed their firewalls and are blocking everything they should be.”

Delays and Dark Days

Still, Stiennon — who said the flaw is the price Microsoft pays for “making protocols willy nilly just to get the job done” — indicated the software giant should have responded more quickly to the widespread vulnerability that took eight months to address after discovery by eEye.

“That’s way too long,” he said. “Now you’re depending on a vulnerability not getting out. There’s just too much opportunity for leakage. There’s no question they have to be faster.”

Dunham said that with the recent MyDoom virus and its variants — which are unrelated to the ASN hole — as well as the integration of spamming tactics in computer worms, computer users are facing hard times.

“There’s going to be a lot of noisy code coming out and hitting people left and right,” Dunham said. “There is going to be nagging issues and lots of worms.”

1 Comment

  • It’s time to bring up the past Microsoft. I remember a few months ago Steve Balmer bashing open source by saying Open Source patches are slower to be released and more unreliable than Microsoft’s. Guess what, OpenSSL had a very similar vulnerbility some months back. That was fixed within a couple of days. And it was fixed properly. So which is it Balmer? Security through obscurity has never worked. You know about a buffer overflow of all things for over six months and you don’t fix it? All you do is hide it? That is sheer incompetitence.
    .
    IIRC isn’t Microsoft supposed to be well into the 2nd year of the secured computing initive. In that time period we’ve seen the worst security on their part in the history of Microsoft. We’ve seen their patching system go from awful to worse. We’ve seen them pay off security researchers to not look for new vulns(Thor Larholm). We’ve seen them sit on openly known exploits for months. We’ve seen them suggest work arounds for known exploits such as "don’t click links on websites". We’ve seen them put bounties on the heads of people who exploit their crappy software (rather than putting the money into fixing problems). We’ve seen worms that take down most windows machines in less than 10 minutes. Now, we’ve seen them cover up a vulnerbility of over a half a year leaving everyone vulnerable.
    .
    If that’s your version of secured computing Microsoft, you’ve got a lot to learn. The irony of it all is they have the gaul to attack others regarding security. Every piece of software has mistakes in it. What sets Microsoft apart from every software vendor, open and closed source, is their refusal to fix mistakes, while accussing others of bad security.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels