· Content
· News
· Articles
· Mailinglists
· Knowledgebase
· Trouble Tickets
· Files
· Glossary
· Links
· Compatibility Lists
· Forums
Welcome to our website
To take full advantage of all features you need to login or register. Registration is completely free and takes only a few seconds.
Critical Windows Security Advisory!
Posted by: Jim on: 02/11/2004 01:10 AM [ Print | 17 comment(s) ]
rasp let me know about this security advisory that was released today. It's listed as a high severity and affects Windows NT 4.0, Windows 2000 (SP3 and later) and Windows XP.
eEye Digital Security has discovered a critical vulnerability in Microsoft's ASN.1 library (MSASN1.DLL) that would allow an attacker to overwrite heap memory on a susceptible machine and cause the execution of arbitrary code. Because this library is widely used by Windows security subsystems, the vulnerability is exposed through an array of avenues, including Kerberos, NTLMv2 authentication, and applications that make use of certificates (SSL, digitally-signed e-mail, signed ActiveX controls, etc.).Get patched.
« Sun revamps servers with UltraSparc, Opteron · Critical Windows Security Advisory!
· Sun to buy Opteron server maker »
Comment
|
Neb Registered User Posts: 338 Joined: 2003-04-16 |
#26779 Posted on: 02/11/2004 06:18 AM
btw, it also affects windows 2003 http://www.microsoft.com/downloads/details.aspx?FamilyId=3D7FFFF9-A497-42FF-90E7-283732B2E117&displaylang=en |
Comment
|
Jim_ Administrator Posts: 3464 Joined: 2000-03-15 |
#26780 Posted on: 02/11/2004 06:27 AM
[url="http://www.2cpu.com"][size=1]2CPU.com[/url] - Because two are always better than one! [url="http://www.jimkirk.org"]jimkirk.org[/url] - Not a Myth any Longer. Just a Dad.[/size] |
Comment
|
HEMI Administrator Posts: 2467 Joined: 2001-12-18 |
#26781 Posted on: 02/11/2004 08:35 AM
 Unix is user-friendly; it's just picky about its friends. |
Comment
|
hellodeadcat SMP Guru Posts: 627 Joined: 2003-02-06 |
#26782 Posted on: 02/11/2004 09:29 AM
Very shady that they knew about it for 6 months and did nothing. The exploit has affected XP since the software was released. Sucks if you are one of the companies or governments who may have been exploited by this. MS are asshats for not announcing this. Just because they think one 3rd party security firm knows about it and is supposedly keeping quiet does not mean that it has been found before. MS has stepped to a new low with this one. Just because I cannot go on google and get info on it or download a prebuilt binary kit to use the exploit does not mean that it has not been used by professional crackers or hostile governments on select and specific targets. White trash Jesus freaks for Bush '04. Join us, YOU will be saved. |
Comment
|
tfp Embedded C Lackey Posts: 340 Joined: 2002-09-22 |
#26783 Posted on: 02/11/2004 11:11 AM
Do you know they haven't been working on this for the last 6 months? I don't know about anywhere else but where I'm at when there is a software fix you don't just wip something up and send it out. :rolleyes: Quick kuldges/hacks are a good way to break something else. There is a process for doing these things most of the time including: Having the defect reported. Assigning it to someone to look at. Finding out if it is really a problem and what products/builds the issue affected. Decided how important it is to fix (hey there could be higher priority stuff). Fixing the issue (for each product/build and testing on the fixers end). Possible merging with other fixes (there could be multiple changes by many people to combine). Then a team (or two) testest out the fix (plus areas around it to check if it broke something else). Then finally you can release the fix. I'm used to embedded stuff so maybe they don't do much integration with other fixes for the release but they will have to make some sort of installer and test that, which I didn't include above. Instead of being concerned why it took six months to fix the problem I would wonder why it took so long for this to be found. It was in both Windows NT 4.0 and Windows 2000 SP3 so it Writing the code that breaks your hardware... |
Comment
|
hellodeadcat SMP Guru Posts: 627 Joined: 2003-02-06 |
#26784 Posted on: 02/11/2004 12:25 PM
Oops, I meant to say that they did not do anything publicly for 6 months. IMO that is an unreasonable amount of time. They should have announced there was an exploit sooner (if they had the fix or not). What they did is basically weigh security risk and cost for all of their users and not let people decide what course of action to take themselves. Physically removing from remote access or using another OS (just temporarily) for critical or priceless data should not be options that MS decides to leave out of its security strategy for end users. It is highly doubtful that someone has not already picked up on this exploit already. As tfp mentioned, this has been around for years! If MS wants to tout itself as a vender of secure enough products that can be used for priceless or very sensitive data on the enterprise level, they should not be in the business of doing risk/cost/benefit choices for end users. At least some users should have the option to get a heads up on things like this the day MS knows about it. Just because they say it was only discovered recenly and the knowledge of it has been contained, does not mean that it has been. While having a ton of consumer end users being potentially exploited is bad, there is a real risk that professional crackers who go after select big targets very quietly have used this and will keep using it. No OS is totally secure and exploits will be found, but what should not happen IMO is for MS (or anyone else) decide to do secret risk assesments for end users. I doubt they needed to take 6 months to build a patch for it. They may have needed that amount of time to perfect the patch so all other functionality of the OS was intact. The end user, especially on the government/enterprise level should at least have the option to patch, even it is just a work around that cripples some features of the OS. White trash Jesus freaks for Bush '04. Join us, YOU will be saved. |
Comment
|
AssKoala Anti-Zealot @ GATech Posts: 3309 Joined: 2002-01-02 |
#26785 Posted on: 02/11/2004 01:59 PM
Genius. No really. Anounce to the world that there's an exploitable risk. Ever heard of need to know? By the way, I'm sure the Enterprise and Government were fine. MS tells them things before they get out to the public. Me Webpage | If you always think like an expert, you'll always be a beginner. | "A handful of knowledgeable people is more effective than an army of fools" -Writing Secure Code, 2nd Ed. |
Comment
|
hellodeadcat SMP Guru Posts: 627 Joined: 2003-02-06 |
#26786 Posted on: 02/11/2004 03:27 PM
For some reason I doubt you would feel the same way if you worked for/owned some small game devel company that had a potentially very viable and hot software product and you got exploited by some "unknown" windows exploit and had your game turn up on 100 p2p networks and for sale on the streets of China and Russia. Then it turns out that you were one of the unlucky few who got 0wn3d during the 6 month timeframe of MS knowing about it and them announcing or fixing it. Too bad your company was not on the MS security update short list. As I said before too, MS is making a risk determination for you. I can understand what I think is your point if you weigh the options and find that it is better overall to not have everyone and their sister being able to google for this info and have a bizzilion script kiddies download prebuilt binaries to exploit the hole, but I just disagree. I am guessing MS is smart enough to monitor hacker sites and IRC networks for things like this 24/7, and they probably are good at knowing what is going on. However, they cannot monitor everything and things will slip by them. As I said before, MS does not even consider the option of just unplugging it or switching to another OS for public dealings. BTW, I am no fanboy/zealot of any hardware or software and I do think MS makes some darn nice products and has a lot of brilliant talent with them + keeps a ton of jobs in the USA. I also think they have in the past, and still do have anti-competition practices that should be corrected. White trash Jesus freaks for Bush '04. Join us, YOU will be saved. |
Comment
|
tfp Embedded C Lackey Posts: 340 Joined: 2002-09-22 |
#26787 Posted on: 02/11/2004 08:48 PM
I'm pretty sure that MS doesn't release a fix to some poeple and then wait until later for others. Also if said small game devel company had there sh1t ingear they would have a good firewall/proxy so people couldn't even try to do something like that. Like AssKoala said letting the world know a problem like that exists when you haven't fixed it is stupid. That just inviting people to exploit that problem. Heck with the kind of description that is given out now, its almost to much information. You know how often people patch their PC. I mean damn I don't think work does all of the patches, at least not right away. And some aren't done unless its in a service pack... tfp Writing the code that breaks your hardware... |
Comment
|
puppet Got Little Feat Posts: 1100 Joined: 2001-08-15 |
#26788 Posted on: 02/11/2004 09:18 PM
Thanks for the heads up. Tyan i840|2x1000|1GB PC800 RDRAM|4xQuantum 10kII|VisionTek X-6964|TBSC|Plextor 40max|S&F Mach 12|iiyama VM pro 501 & VM pro 502|mod'ed Toshiba Magnia 3010 chassis|600W PSU |
Comment
|
XWRed1 Registered User Posts: 185 Joined: 2001-08-27 |
#26789 Posted on: 02/11/2004 09:30 PM
Hmm... is this the same ASN.1 flaw that got fixed in *nix a few months ago? |
Comment
|
BiffStroganoffsky I play a tech on internet Posts: 1419 Joined: 2000-08-24 |
#26790 Posted on: 02/11/2004 10:28 PM
|
Comment
|
XWRed1 Registered User Posts: 185 Joined: 2001-08-27 |
#26791 Posted on: 02/11/2004 11:40 PM
And what would MS say to Enterprise and Government? "Here's a remote vulnerability that you can't block and which we won't give you a patch for"? "You pay us alot of money, he's the patch you can have it 8 months before the rest of the world"? Neither one seems very good. |
Comment
|
AssKoala Anti-Zealot @ GATech Posts: 3309 Joined: 2002-01-02 |
#26792 Posted on: 02/11/2004 11:43 PM
From what I've read and know, MS does release its security patches to certain "lucky" Enterprises and Organizations ahead of time. However, to make a public announcement is the stupidest thing possible. If the patch will not be ready for some time, making an announcement will only spur people trying to exploit it. Keeping it behind closed doors to fix whatever the problem without damaging other areas is perfectly suitable. Can you think outside the scope of your little world to grasp that one? Here's a news flash, you aren't important enough to know the problem (and neither am I). There's no reason whatsoever to make an exploit public if a fix is on the way and it has yet to be exploited. At the same time, Valve (that little game devel company you talk about. devel, of course, not being a word), is full of crap as far as I'm concerned. Their security was crap, obviously. Have you ever seen this happen to Id? They develop for Windows systems primarily as well. Id keeps their stuff closed. The Doom3 leak, that was ATI's fault. Did it damage anything? No, it was just a bunch of binaries. Why Gabe Newell had his computer online with the source code on it is beyond me. Oh and by the way, the "unknown" exploit Valve got screwed with... It was a Trojan Horse. Not a Windows exploit. At all. They're just morons with security. No seriously, strange crap starts happening with the system. Leave it online. Not even a firewall to monitor access. Yeah, that's MS's fault and perfectly relevant to this topic. Me Webpage | If you always think like an expert, you'll always be a beginner. | "A handful of knowledgeable people is more effective than an army of fools" -Writing Secure Code, 2nd Ed. |
Comment
|
puppet Got Little Feat Posts: 1100 Joined: 2001-08-15 |
#26793 Posted on: 02/11/2004 11:50 PM
Like leaving your keys in an old junk car ... Tyan i840|2x1000|1GB PC800 RDRAM|4xQuantum 10kII|VisionTek X-6964|TBSC|Plextor 40max|S&F Mach 12|iiyama VM pro 501 & VM pro 502|mod'ed Toshiba Magnia 3010 chassis|600W PSU |
Comment
|
XWRed1 Registered User Posts: 185 Joined: 2001-08-27 |
#26794 Posted on: 02/12/2004 07:03 AM
If the patch isn't ready... how are they going to give it to massive organizations and tell them to use it? Either the patch is ready or not. *Nix still patched their ASN.1 ages ago, what was the holdup for Microsoft? Microsoft tested more? Noone that patched it in *Nix seemed to suffer (or is this a different ASN.1 bug?)
Id did suffer a source leak of quake3 before the game came out. I'm not sure of the exact nature, I think some bad contractor kept it and then he started trying to build and market his own game off it. Quake3 still came out on time, people weren't raving and crying about how there'd be cheaters, and that leaked source has been pretty much useless. That is a more interesting thing to compare to what happened to Valve than the Doom3 leak, imho. |
Comment
|
hellodeadcat SMP Guru Posts: 627 Joined: 2003-02-06 |
#26795 Posted on: 02/13/2004 02:41 AM
http://www.eeye.com/html/Research/Upcoming/index.html interesting stuff if it happens to be true. From the same people who told MS about the ANS.1 exploit. LOL I read more about what happened to Valve. What the hell were they thinking??? They even noticed odd stuff going on and did not do much about it. That is sad they did not even secure their workstations. Makes about as much sense as NORAD installing bonzai buddy on all their workstations. White trash Jesus freaks for Bush '04. Join us, YOU will be saved. |