Microsoft ASN Buffer Overflow in Tandem with Windows 2000 Source Code Leak Could Spell Doom

Slashdot, Microsoft, Information Week ^ | 2004-02-12 | Vanity

[mosel-saar-ruwer]

Folks, this could be very, very bad.

Earlier this week, news arrived of a fundamental flaw in Microsoft's security infrastructure, involving a buffer overflow in Microsoft's implementation of the Abstract Syntax Notation [or ASN] protocol. This flaw allows a malicious user to gain complete control of Microsoft's flagship operating systems:

Microsoft Warns Of Major Windows Security Flaws

While Microsoft tagged two of the three vulnerabilities as "critical," its highest-ranked warning, one is of special concern. The vulnerability relates to Windows Abstract Syntax Notation, a language used to define the syntax of data messages shared between applications and computers. Any flaw in Windows' implementation of ASN is by definition critical, since the ASN library is widely used by the operating system's security subsystems, including Kerberos and NTLM authentication, as well as by applications that use digital certificates, including SSL, digitally signed E-mail, and the ActiveX controls utilized by Internet Explorer.

"These flaws can be detected and exploited remotely, and have the potential to cause serious damage if not immediately remediated," said executives at eEye Digital Security, the firm which uncovered the problem in July 2003.

http://informationweek.com/story/showArticle.jhtml?articleID=17602883

This flaw was so fundamental to Microsoft's implementations that it took them SIX MONTHS to regression test the patch, which is available here:

http://windowsupdate.microsoft.com

Earlier today, a rumor spread like wildfire that Microsoft source code had leaked onto the internet:

Windows 2000 & Windows NT 4 Source Code Leaks

http://slashdot.org/article.pl?sid=04/02/12/2114228

That rumor has since been confirmed by Microsoft:

Microsoft Source Code Leaked Over Web

Microsoft Corp. (MSFT) said late Thursday that portions of its Windows source code - the tightly guarded blueprints of its dominant operating system - had been leaked over the Internet.

http://apnews.myway.com/article/20040213/D80M46CO1.html

Worst case scenario: The bad guys get their hands on enough of the Windows 2000 source code to pinpoint the ASN buffer overflow, and, in the very near future, users everywhere begin to lose control of their security infrastructures...

[mosel-saar-ruwer]

Please, please, please: PATCH YOUR SYSTEMS!!!

[mosel-saar-ruwer]

Bump.

[PeteFromMontana]

Please, please, please: PATCH YOUR SYSTEMS!!!

____________________

Will do, right away! Wait..How on earth do I patch my system?

[Paleo Conservative]

I'm glad Windows 2000 isn't used to fly planes.

[PeteFromMontana]

Oh...Windows Update? I do that, but even that is controversial. I have read on this very site that I should not do the updates. What's a point and click computer user to do?

[mosel-saar-ruwer]

Wait..How on earth do I patch my system?

http://windowsupdate.microsoft.com

[_Jim]

I'm glad Windows 2000 isn't used to fly planes.

MS Flight Sim doesn't count?

[ConservativeMan55]

Windows should automatically come up and give you critical updates.

If it doesn't...go here and follow the instructions.

windowsupdate.microsoft.com

[mosel-saar-ruwer]

What's a point and click computer user to do?

If you are a small businessman running your own shop, or even just a home user with e.g. so little as TurboTax income tax records on your computer, it is IMPERATIVE that you patch for this vulnerability.

[ConservativeMan55]

Microsoft in every car? Absolutely!

[JoJo Gunn]

http://www.freerepublic.com/focus/f-news/1077133/posts

[martin_fierro]

FREE PC PROTECTION: (Not an exhaustive list. Your results may vary. Void where prohibited. For entertainment purposes only. No wagering, please. Whattayawantfernuthin'.)

Alternative browsers: Mozilla Opera AVG Anti-Virus Free Edition: Free anti-viral protection Popup ad killers: Bayden Systems Popup Popper: Blocks popup ads well in MSIE Shoot the Messenger: Close that friggin' Messenger in Windows XP Spyware removers: Spybot S&D AdAware MailWasher: Good for pre-screening & bouncing SPAM Windows Update: At least install the critical ones ZoneAlarm: Excellent Firewall Test your firewall from without with ShieldsUP! Test your firewall from within with LeakTest

[PeteFromMontana]

Hey ConservativeMan, nice to see ya.

[Paleo Conservative]

MS Flight Sim doesn't count?

I mean real planes. Imagine if an airliner's computers could be taken over and the plane were flown into high value buildings on the ground via remote control.

[ConservativeMan55]

Thanks!

Now...where do I know you from?

Oh ok...wait a second...let me think?

Ok..I give up! Where do I know you from?

[nopardons]

BTT

[537 Votes]

I'm glad Windows 2000 isn't used to fly planes.

No, just corporations and federal governments.

[ConservativeMan55]

[_Jim]

Imagine if an airliner's computers could be taken over and the plane were flown into high value buildings on the ground via remote control.

Really!?

They have that now?

[irishtenor]

My system has a rupture?