Microsoft Sits on Security Flaw for Six Months
pmf writes "Yet another critical vulnerability affecting Windows 2000/XP/2003 has been just announced by eEye. It is worthy to note, that it took Microsoft over 6 months to fix it. The bug affects ASN.1 library and is remotely exploitable through authentication subsystems (Kerberos, NTLMv2) and applications that make use of SSL certificates." The AP has an overview.
Didn't openssl have a very similar bug that
was disclosed & fixed just about 6 months ago?
Anybody? Buehler?
Looks like MS gets some slack that OSS just
has to fix immediately.
AntiFA: An abbreviation for Anti First Amendment.
Didn't openssl have ASN.1 issues recently? Did MSFT copy some of the code ;-) ?
BTW: Interesting timeline of more to come
Better keep checking for updates.
---- join dshield.org Distributed Intrusion Detec
Hang on.. If windows NT / 2000 are affected.. looks like M$ have been sitting on it for a _lot_ longer than 6 months.
On the other hand, if they didn't know about it, I wonder how many systems could have been compromised. When was windows NT released again ?
Open Source software gets critical fixes within days or hours because anyone running the code can potentially fix the problem.
As Micro$oft's ratio of programmers to supported lines of code decreases, their time to fix bugs will increase.
To put it another way, bloat breeds torpor.
Looks like there is another worm out there spreading fast...its spreading through AIM by sending out links to a site at wgutv.com that masquerades as being a news site proclaiming Osama has been captured. The site downloads an executable (which appears to be digitally signed with a cert issued by Thawte) which, at the least, starts propagating to other AIM buddies. Can't find anything on NAI or Symantec--anyone else seen this in the past 3 hours? (since about 2 PM EST)?
"Life is tough but we're tougher. You only get what you give, so give all that you've got." --Tony LaRussa
The article mentions that Microsoft is unaware of any computers hacked with this vulnerability. Assuming it wasn't ever used, then not disclosing it until a patch was made worked well in this situation.
But not disclosing the problem has drawbacks, too. Your system is insecure, and you have to hope nobody else knows about the exploit either. And it's Microsoft's decision when to patch it. It will be interesting to hear why it took them six months. What if it was simply PR: do you feel safe knowing you're vulnerable so Microsoft gets good PR (until now)? Or perhaps it's just laziness. If customers don't know about an exploit, how can they apply pressure to counter it?
Every time I see an airport or a power plant affected by windows viruses and/or vulnerabilities I get a bit queasy Will the general public ever realize that if what you are working on is of any importance, nevermind critical importance, then Windows is not the right tool for the job. From the story: "This is one of the most serious Microsoft vulnerabilities ever released," said Marc Maiffret of eEye Digital Security Inc. of Aliso Viejo, Calif., which discovered the new Windows flaws. "The breadth of systems affected is probably the largest ever. This is something that will let you get into Internet servers, internal networks, pretty much any system." Maiffret said some computer systems that control critically important power or water utilities were vulnerable.
Windows is insecure. We know this. Partly it is the result of the operating system and partly it is the result of bad applications. And Microsoft knows it too.
.net. This is a huge, huge step toward eliminating buffer overruns and other trivial errors. Tens of thousands of developers are making the move right now. Any bookstore has at least 50 books on .net technologies.
This is why Microsoft is making the bold move of promoting managed langages like C# and VB.net, and a fully managed runtime in the guise of
In short, laugh about it now, let it distract you from what's coming, let it lull you into thinking Linux will always have the security edge, go right ahead. It won't change anything.
Not every MS user updates once a year, you idiots.
Assuming you didn't mean that as a joke...
The entire point of this article centers on the very fact that no fix existed, despite MS knowing about the problem for over six months.
So, even the most attentive network admin in the world, applying every fix within an hour of release, would not have had the ability to remove this vulnerability from his systems.
Personally, I find it more interesting that MS has the same problem that OpenSSH had, dating from the same time period. Time for a few folks to start comparing the relevant libraries for similarity... Wouldn't that look just great for MS's PR, getting caught not only in a copyright infringement, but using that nasty GPL'd software they so hate...
This seems all well and good but I call foul. This is NOT why it is unlikely that buffer overflows are going away in the future. Microsoft has realized that there is just too much code to deal with and like or not humans (even with families to feed) make mistakes. And buffer overflows are notoriously difficult to spot with human eyes.
The solution isn't put more eyeballs on the problem. the solution is to build a better compiler. I don't have the documentation on hand but the newer compilers at microsoft simply do away with the problem while it's building the opaque executables. the newer operating systems also operate with a "canary" in the memory system which listens for possible buffer overflows and handles the exception.
Srividya, get over yourself. "I do not make security mistakes ever." You have and you will undoubtedly make more in the future. Coders in India are not that much more astute then american counterparts, they're just paid less.
The Windows help system was exploitable for about 7 years. From the time of Windows NT 4.0's release (1996?) until June, 2003, an attacker could exploit the help system to run their own code. And that's just the help system!
As of September, 2003, there were 31 known unpatched vulnerabilities in Microsoft Internet Explorer. Some of the most critical have not been fixed in well over a year. The original page listing them was removed at Microsoft's request, but I cached it.
Microsoft was notified of significant issues with their implementation of the Java Virtual Machine (JVM) on September 2, 2002, and on April 9th, 2003, Microsoft issued an update to fix the problem. That took more than seven months.
Shameless plug: more examples are available at my site.
Developers: We can use your help.
FYI, the morning after the Superbowl, I caught a story about the MyDoom virus (they referred to SCO as a "small software company") on the morning news. Granted, it's not Tom Brokaw, and they avoided technical details, but you get the point. There are presumably several people in major news organizations that are not brain-dead when it comes to tech news.
Auto-reply to ACs: "Truly, you have a dizzying intellect."
I am looking at WindowsUpdate right now, and am not seeing this patch.
I can go ahead and download it from the page in the story; my question is: why is this patch not up on WindowsUpdate immediately?
Wow, eEye still knows of 3 different high severity remote exploit in MS systems, and MS has been sitting on two of them for over 3 months.
Secure computing indeed.
Just browse through Freshmeat. I'd say 1/8 of the projects there have not been updated since 2001.
Or search Google for no longer under development. See how many hits are open source projects.
Here is my list of apps that I want to see under development:
Big Sister for Windows (this one is the one I want updated most of all)
Slackware (well, its alive, but barely)
NCSA Server
In all cases I found that they were unsupported and had to switch to a different solution.
And remember, just because YOU don't use it, doesnt mean there aren't a lot of other people that use it and depend on it.
As far as I know, there were swastika wingdings in the package. Why MS would put a swastika in it to begin with is beyond me, but that is the case.
The bigger question is why it is necessary to remove them. Although they are offensive to most people because of what they represent, they do have a place in history. There are probably legitimate reasons for using them in many documents. IE. A school report on WW2 or Nazi Germany.
This is my Sig.
> You forget that the U.S. was founded by people who left Europe to find a level of self imposed repression not available to them in the old world.
Those people left Europe to experience religious freedom -- and paradoxically denying it once they got to the U.S. -- which the U.S. then proceeded to eliminate from public discourse in the last 20 years.
And for the record I'm an athiest.
You want to know who isn't running Firefox 2.x? They spell it "definately" and "rediculous".
(Wow, great post.)
One of the good parts of Eric Rayrnond's new book The Art of Unix Programming is the discussion of protocol design, and in particular the foolishness of trying to squeeze out every single bit.
In particular, he points out that it's often better to just use a simple encoding, and then run a compressor like LZO or GZIP over the whole thing. This lets you design a simple protocol, and you get the benefit of compression over the whole thing rather than just the metadata. Complexity, of course, is the enemy of security. It is both simpler and gives better compression; and people with more network than CPU can turn compression off or down.
Keith Packard has some similar papers looking at X11, where he concludes that clever tricks like Low Bandwidth X really don't help all that much compared to just using SSH compression.
Latency is a different and harder problem, but one that's often better solved in the high-level design than by bit-banging.
If I were at home, I'd give you the name of the researcher who gathered actual data on this very question.
What he found after combing through tons of CERT data was that disclosure per se didn't do much to increase exploit rates.
What did matter was the release of automated attack tools based on the disclosure.
One reason for full disclosure is that it allows network owners and operators to get and install fixes. However, that also didn't make much difference over the time period he studied. Exploit rates stayed about the same after patch release. Apparently people who stay current on patches are such a small minority that they don't show in the statistics.
All that leaves plenty of room for interesting arguments over disclosure policy.
According to Ted Bridis of the Associate Press, Kerberos belongs to Microsoft in his recent article, Microsoft Warns on Windows Security Flaws.
I wrote a letter to Mr. Bridis to offer a correction.
Dear Mr. Bridis;
You wrote:
"Some of Microsoft's built-in security features - such as its Kerberos cryptography system - rely on the flawed software."
This statement is factually incorrect. You're sentence should have read "... such as its implementation of the Kerberos cryptography system..."
Kerberos is, in fact, a creation of the Massachusetts Institute of Technology:
http://web.mit.edu/kerberos/www/#what_is
Please respect the intellectual property rights of MIT in your future writings.
Thanks.
"Rocky Rococo, at your cervix!"