Microsoft Sits on Security Flaw for Six Months
pmf writes "Yet another critical vulnerability affecting Windows 2000/XP/2003 has been just announced by eEye. It is worthy to note, that it took Microsoft over 6 months to fix it. The bug affects ASN.1 library and is remotely exploitable through authentication subsystems (Kerberos, NTLMv2) and applications that make use of SSL certificates." The AP has an overview.
Didn't openssl have a very similar bug that
was disclosed & fixed just about 6 months ago?
Anybody? Buehler?
Looks like MS gets some slack that OSS just
has to fix immediately.
AntiFA: An abbreviation for Anti First Amendment.
Didn't openssl have ASN.1 issues recently? Did MSFT copy some of the code ;-) ?
BTW: Interesting timeline of more to come
Better keep checking for updates.
---- join dshield.org Distributed Intrusion Detec
Hang on.. If windows NT / 2000 are affected.. looks like M$ have been sitting on it for a _lot_ longer than 6 months.
On the other hand, if they didn't know about it, I wonder how many systems could have been compromised. When was windows NT released again ?
Open Source software gets critical fixes within days or hours because anyone running the code can potentially fix the problem.
As Micro$oft's ratio of programmers to supported lines of code decreases, their time to fix bugs will increase.
To put it another way, bloat breeds torpor.
Looks like there is another worm out there spreading fast...its spreading through AIM by sending out links to a site at wgutv.com that masquerades as being a news site proclaiming Osama has been captured. The site downloads an executable (which appears to be digitally signed with a cert issued by Thawte) which, at the least, starts propagating to other AIM buddies. Can't find anything on NAI or Symantec--anyone else seen this in the past 3 hours? (since about 2 PM EST)?
"Life is tough but we're tougher. You only get what you give, so give all that you've got." --Tony LaRussa
Every time I see an airport or a power plant affected by windows viruses and/or vulnerabilities I get a bit queasy Will the general public ever realize that if what you are working on is of any importance, nevermind critical importance, then Windows is not the right tool for the job. From the story: "This is one of the most serious Microsoft vulnerabilities ever released," said Marc Maiffret of eEye Digital Security Inc. of Aliso Viejo, Calif., which discovered the new Windows flaws. "The breadth of systems affected is probably the largest ever. This is something that will let you get into Internet servers, internal networks, pretty much any system." Maiffret said some computer systems that control critically important power or water utilities were vulnerable.
Windows is insecure. We know this. Partly it is the result of the operating system and partly it is the result of bad applications. And Microsoft knows it too.
.net. This is a huge, huge step toward eliminating buffer overruns and other trivial errors. Tens of thousands of developers are making the move right now. Any bookstore has at least 50 books on .net technologies.
This is why Microsoft is making the bold move of promoting managed langages like C# and VB.net, and a fully managed runtime in the guise of
In short, laugh about it now, let it distract you from what's coming, let it lull you into thinking Linux will always have the security edge, go right ahead. It won't change anything.
Not every MS user updates once a year, you idiots.
Assuming you didn't mean that as a joke...
The entire point of this article centers on the very fact that no fix existed, despite MS knowing about the problem for over six months.
So, even the most attentive network admin in the world, applying every fix within an hour of release, would not have had the ability to remove this vulnerability from his systems.
Personally, I find it more interesting that MS has the same problem that OpenSSH had, dating from the same time period. Time for a few folks to start comparing the relevant libraries for similarity... Wouldn't that look just great for MS's PR, getting caught not only in a copyright infringement, but using that nasty GPL'd software they so hate...
The Windows help system was exploitable for about 7 years. From the time of Windows NT 4.0's release (1996?) until June, 2003, an attacker could exploit the help system to run their own code. And that's just the help system!
As of September, 2003, there were 31 known unpatched vulnerabilities in Microsoft Internet Explorer. Some of the most critical have not been fixed in well over a year. The original page listing them was removed at Microsoft's request, but I cached it.
Microsoft was notified of significant issues with their implementation of the Java Virtual Machine (JVM) on September 2, 2002, and on April 9th, 2003, Microsoft issued an update to fix the problem. That took more than seven months.
Shameless plug: more examples are available at my site.
Developers: We can use your help.
Wow, eEye still knows of 3 different high severity remote exploit in MS systems, and MS has been sitting on two of them for over 3 months.
Secure computing indeed.
(Wow, great post.)
One of the good parts of Eric Rayrnond's new book The Art of Unix Programming is the discussion of protocol design, and in particular the foolishness of trying to squeeze out every single bit.
In particular, he points out that it's often better to just use a simple encoding, and then run a compressor like LZO or GZIP over the whole thing. This lets you design a simple protocol, and you get the benefit of compression over the whole thing rather than just the metadata. Complexity, of course, is the enemy of security. It is both simpler and gives better compression; and people with more network than CPU can turn compression off or down.
Keith Packard has some similar papers looking at X11, where he concludes that clever tricks like Low Bandwidth X really don't help all that much compared to just using SSH compression.
Latency is a different and harder problem, but one that's often better solved in the high-level design than by bit-banging.
According to Ted Bridis of the Associate Press, Kerberos belongs to Microsoft in his recent article, Microsoft Warns on Windows Security Flaws.
I wrote a letter to Mr. Bridis to offer a correction.
Dear Mr. Bridis;
You wrote:
"Some of Microsoft's built-in security features - such as its Kerberos cryptography system - rely on the flawed software."
This statement is factually incorrect. You're sentence should have read "... such as its implementation of the Kerberos cryptography system..."
Kerberos is, in fact, a creation of the Massachusetts Institute of Technology:
http://web.mit.edu/kerberos/www/#what_is
Please respect the intellectual property rights of MIT in your future writings.
Thanks.
"Rocky Rococo, at your cervix!"