 |
• February 13, 2004 •
|
One of the fixes has attracted more attention then usual however. It is the MS04-007 fix, pertaining to a vulnerability in the ASN.1 library. |
Affected software:
|
The vulnerability is caused by an unchecked buffer in the ASN.1 Library, which could result in a buffer overflow. An attacker who successfully exploited this buffer overflow vulnerability could execute code with system privileges on an affected system. The attacker could then take any action on the system, including installing programs, viewing data, changing data, deleting data, or creating new accounts with full privileges.
The controversy surrounding this fix is caused by the fact that this vulnerability had been discovered 7 months ago by eEye Digital Security. According to eEye the ASN vulnerability is more dangerous than previous flaws that spawned Nimda, Code Red and Sapphire worms, because the ASN library is widely used by Windows security subsystems, so the vulnerability is exposed through an array of authentication protocols.
Marc Maiffret, chief hacking officer and cofounder of eEye Digital Security criticized Microsoft for the lag time between eEye's discoveries and Microsoft's fixes saying: "We contacted Microsoft about these vulnerabilities 200 days ago, which is insane." Microsoft defends the whopping 7 months it took to fix the flaws as necessary because the company needed to ensure that a patch to such central Windows components didn't break software or cause other problems. "We really took the steps to make sure our investigation was as broad and deep as possible," Microsoft security program manager Stephen Toulouse said.
Security experts Sophos, said computer users should keep a sense of proportion about the flaw, however.
"At the moment, we haven't seen any hackers or worms exploiting this hole, but that doesn't mean computer users don't need to protect their PCs," said Sophos' Graham Cluley, senior technology consultant for Sophos. "Everyone should ensure their computer is patched against this vulnerability as soon as possible. This announcement couldn't have come at a worse time for Microsoft, as they try and build their reputation for security."
So, go and visit windowsupdate.com and get all your friends & relatives to do likewise!
