Tuesday 10 February 2004

MS Security Bulletins - 10 February

Three MS Security Bulletins issued today; the ASN.1 Vulnerability appears to be the critical one:

According to Marc Maiffret of eEye Digital Security which discovered the vulnerability:

This is one of the most serious Microsoft vulnerabilities ever released, the breadth of systems affected is probably the largest ever. This is something that will let you get into Internet servers, internal networks, pretty much any system.

And...

...hackers will try to unleash a damaging Internet infection within weeks. Unlike earlier vulnerabilities that spawned such attacks, hackers can exploit the newly disclosed flaws to break into susceptible computers using dozens of methods, making any defense far more difficult.

Researchers at eEye discovered the problems last July and agreed to keep quiet about them until Microsoft could fix them. Maiffret complained that the delay between eEye's discovery and Tuesday's public disclosure by Microsoft was "just totally unacceptable" because Windows users were broadly vulnerable during the period.

From Eeye's webpage:

eEye Digital Security has discovered a critical vulnerability in Microsoft's ASN.1 library (MSASN1.DLL) that would allow an attacker to overwrite heap memory on a susceptible machine and cause the execution of arbitrary code. Because this library is widely used by Windows security subsystems, the vulnerability is exposed through an array of avenues, including Kerberos, NTLMv2 authentication, and applications that make use of certificates (SSL, digitally-signed e-mail, signed ActiveX controls, etc.).

The MSASN1 library is fraught with integer overflows. In this advisory, we'll describe a pair of arithmetic errors in a generic and low-level part of ASN.1 BER decoding that allow a very large swath of heap memory to be overwritten. This vulnerability affects basically any client of MSASN1.DLL, the most interesting of which are LSASS.EXE and CRYPT32.DLL (and therefore any application that uses CRYPT32.DLL).

Anyway, here are today's bulletins:

Microsoft Security Bulletin MS04-005

Microsoft Security Bulletin MS04-006

Microsoft Security Bulletin MS04-007

Related News

Related Reading: ASN.1

Related Tools