Microsoft

Critical Windows flaw involving ASN.1 demands attention

Microsoft has disclosed a critical new flaw involving the ASN.1 protocol, which affects many Windows systems. Get the details and links to patch this vulnerability and other new flaws.


Three new Microsoft Security Bulletins have arrived. Two are relatively minor, but one, MS04-007, "ASN.1 Vulnerability Could Allow Code Execution," potentially poses an extremely critical threat to major infrastructures around the world. The ASN.1 protocol affects all Windows systems and is an international standard employed by power grids, water systems, and various industrial control systems, where it is used to exchange data between sensors and software.

Details
Abstract Symbol Notation (ASN.1) is a widely used standard that was produced by Xerox back in the 1980s for representing data, including text. According to eEye Digital Security, it discovered the initial flaw in the ASN.1 library (MSASN1.dll) about seven months ago (July 25, 2003) and notified Microsoft of the danger at that time. Although all known vulnerabilities in ASN are reportedly patched by MS04-007, eEye points out in the U.K.-based PC Advisor that where one flaw exists, more can be expected, saying Microsoft's implementation of ASN is "fraught with integer overflows."

eEye also reported a second critical flaw in ASN.1 to Microsoft on Sept. 30, 2003. Kerberos and a number of other Windows services lay the affected machines open to these ASN.1 flaw attacks. Neither vulnerability was disclosed by eEye until after Microsoft released the new patch. Both threats are heap memory overwrites caused by integer buffer overruns (an unchecked buffer in ASN.1).

The other newly released Microsoft Security Bulletins are:
  • MS04-006—This is a WINS vulnerability that can allow an attacker to run arbitrary code on the system. The flaw is caused by a failure to properly validate the length of specially crafted data packets.
  • MS04-005—This is a vulnerability in Virtual PC for Macintosh that could lead to privilege elevation; it affects multiple versions of this software.

Applicability
The two ASN.1 library vulnerabilities reported by eEye and patched by Microsoft (MS04-007) cumulatively affect the following:
  • Windows NT 4.0 (most versions)
  • Windows 2000 (SP3 and earlier)
  • Windows XP (all versions)
  • Windows Server 2003
  • Internet Explorer, Outlook, Outlook Express, and some other applications
    Also affected are the following services:
  • Kerberos (UDP/88)
  • IIS using SSL
  • NTLMv2 authentication (TCP/135, 139, 445)

A simple search for "MSASN1.dll" on any system will show if ASN is present. If it is, then this patch is needed.

The WINS flaw (MS04-006) affects:
  • Windows NT Server 4.0, Service Pack 6a
  • Windows NT Server 4.0 TSE (Terminal Server Edition), Service Pack 6
  • Windows 2000 Server, SP2, SP3, and SP4
  • Windows Server 2003
  • Windows Server 2003, 64-Bit Edition

Note that Windows XP is not generally affected, nor are some workstations, some versions of Windows NT 4.0, or Windows 2000 Professional.

For the Macintosh Virtual PC flaw (MS04-005), all versions supported by Microsoft are vulnerable, and earlier versions that Microsoft didn’t evaluate could also be vulnerable as well.

Risk level—critical (for ASN.1)
The ASN.1 vulnerability can allow a remote attacker to run arbitrary code on a compromised system. It's quite likely that a worm based on the ASN vulnerability could be created and released, causing havoc, because there's no way to disable ASN services without placing many critical systems at risk.

Microsoft rates the WINS flaw low (on most systems) to important (Windows Server 2003 only). However, some others are calling this a high or nearly critical threat. Secunia, in particular, rates it as “moderately critical.”

The Macintosh Virtual PC vulnerability will allow users to run arbitrary code on the affected system. I suppose Microsoft rated this as important only because it can’t be exploited by a random hacker over the Internet.

Mitigating factors
Microsoft notes that Windows NT 4.0 does not install ASN.1 by default, but that it is installed if you apply the security update MS03-041 or some other hot fixes. In the bulletin, Microsoft also says that the easiest mode of attack would require direct network access, but didn’t rule out the possibility of a remote attack.

There are multiple mitigating factors related to the WINS threat. First, WINS is not installed by default. On some systems, the flaw only triggers an automatic reboot. Default firewall settings should greatly reduce the threat level from this vulnerability.

The Macintosh Virtual PC threat can be exploited only by someone with legitimate local, network, or Internet access to the system. In other words, only an insider, former insider, or someone who got an insider’s password can take advantage of this vulnerability.

Fixes
  • ASN.1 vulnerability—This one must be patched. There is no known workaround for the ASN.1 flaw.
  • WINS vulnerability—There are several workarounds for the WINS vulnerability, including the removal of WINS if you aren’t using it. Microsoft also reports that you can stop this attack at the firewall by blocking TCP port 42 and UDP port 137.
  • Macintosh Virtual PC—The patch can be applied only to Virtual PC for Mac versions 6.0, 6.01, 6.02, or 6.1. The patch will also bring the version level up to 6.1.1.

Final word
Note to Microsoft: Your scheduled patch release strategy isn’t working. All it really does is let hackers know when they might start experiencing problems exploiting a known vulnerability. I think it would be better to go back to posting fixes as needed and then leave it to IT professionals to decide when to patch.

As for the Virtual PC problem, it's only fair to note that it appears this flaw was due not to Microsoft itself, but to Connectix, which sold the Virtual PC to Microsoft in February 2003.

Also watch for …
  • Apache has acknowledged local privilege escalation and DoS vulnerabilities in mod_alias and mod_rewrite. These are definitely found in the Solaris version of Apache, and a patch is provided for Solaris 9.

  • Following on the heels of an announcement naming CERT as the designated organization to publish national cybersecurity alerts, the U.S. Department of Homeland Security has announced three new bureaucratic assemblages, one of which is tasked with what appears to be exactly the same job as the one assigned to CERT. Nothing like keeping things simple.



Editor's Picks