Please report all spam threads, posts and suspicious members. We receive spam notifications and will take immediate action!
Results 1 to 5 of 5

Thread: Microsoft warns Windows users to patch machines now




  1. #1
    Join Date
    Dec 2002
    Posts
    4,246

    Default

    Serious flaw emerges

    MICROSOFT HAS WARNED USERS of Windows 2000, XP, Server 2003 and NT to patch their machines now to fix a gaping security hole.

    The update is different from the patches Microsoft released as part of its bundling fixes every month.

    It warns the security problem is "critical", and could cause outsiders to run code on PCs remotely and take them over.

    Microsoft has apparently known about the problem for nearly six months. The hole is in the Microsoft ASN.1 library and caused by an unchecked buffer.

    The appropriate bulletin and instructions are on MS Technet, [here].
    -inq
    I've gone too far and need to move on!

  2. #2
    Join Date
    Nov 2003
    Location
    Minnesota, United States
    Posts
    4,543

    Default

    Thanks minibubba. Any idea why it took them six months to come out with this?

  3. #3
    Join Date
    Dec 2002
    Posts
    4,246

    Default

    no i don't, I can only speculate that it was a difficult thing to fix without causing problems with something else. Considering what ASN.1 is (see below), it wouldn't surprise me if that was the case.
    What is ASN.1?
    Abstract Syntax Notation 1 (ASN.1) is a data standard that is used by many applications and devices in the technology industry for allowing the normalization and understanding of data across various platforms. ASN.1 has no direct relationship to any specific standard, encoding method, programming language, or hardware platform. It is simply a language for defining standards. Or in other words, standards are written in ASN.1.

    A vulnerability exists in Microsoft's ASN.1 implementation that, if exploited, could allow an attacker to cause code to execute remotely with system privileges on an affected system. More information about ASN.1 can be found in Microsoft Knowledge Base Article 252648.
    I've gone too far and need to move on!

  4. #4
    Join Date
    Feb 2003
    Location
    No where
    Posts
    445

    Default

    Originally posted by minibubba
    Microsoft has apparently known about the problem for nearly six months. The hole is in the Microsoft ASN.1 library and caused by an unchecked buffer.
    201 days to be exact. TechTV told the world bout it last night which included the fact that they have known about it for 200 days, effectivly making today day 201.

    The main reason that was said on the show for holding it back was, like minibubba said, to make sure it would not effect any other parts of the system.

  5. #5
    Join Date
    Dec 2002
    Posts
    4,246

    Default

    200 days to fix a broken Windows

    Security researchers are both criticizing and empathizing with Microsoft for the 200 days the company needed to create its latest critical software patch.

    The six-plus months is the longest the software giant has taken to release a fix since it started its Trustworthy Computing initiative, a companywide mandate to make security a top priority. Taking so long to fix a serious issue cast doubts on how much progress Microsoft has made in the two-year effort, said Marc Maiffret, chief hacking officer for security research firm eEye Digital Security.

    "If it really took them that long technically to make (and test) the fix, then they have other problems," Maiffret said. "That's not a way to run a software company."

    On Tuesday, Microsoft released a patch for vulnerabilities in a common networking component of Windows NT, Windows 2000, Windows XP and Windows Server 2003. The security flaws could allow an attacker to compromise a computer running any of those Windows systems or allow a malicious coder to create a worm that would affect a large number of systems connected to the Internet.

    eEye notified Microsoft of the issue July 25 and of a second, similar issue on Sept. 25. The software giant didn't release a fix for either problem until this week, 200 days after the first flaw was found.

    Microsoft defended its responsiveness to security issues. The time required for each step in the patching process--from discovery and verification of the problem to creating and testing the fix--can vary, said Jeff Jones, senior director of Trustworthy Computing.

    "If our goal was to get everything out in 30 days or 60 days, we could do that," Jones said. "But our goal is to get out a quality patch."

    Other security researchers agreed that 200 days, while long, is not necessarily a sign of problems.

    "Whatever time frame it takes to fix something, you could always argue that it could have been made somewhat shorter," said Chris Wysopal, vice president of research and development for security firm @Stake, which counts Microsoft as a client. "It is definitely in the multimonth category because of how many versions of the operating system and the big applications that they had to test."

    The flaws exist in Microsoft's implementation of a basic networking protocol known as Abstract Syntax Notation One, or ASN.1. The code is shared by many Windows applications, and the vulnerabilities could let a remote user take control of a computer running a version of Windows that hasn't been patched, according to the advisory posted on Microsoft's Web site. Exploiting the flaw is much easier if the attacker can access a local network, the advisory noted.

    Such widespread vulnerabilities are most tempting for the underground coders who create worms such as MSBlast--also known as Blaster--and Slammer, both of which took advantage of Windows flaws.

    Stephen Toulouse, senior program manager of Microsoft's Security Response Center, said the fix took so long to create because of the difficulties posed by such a pervasive technology.

    "ASN.1 is really an extremely deep...technology in Windows itself," Toulouse said. "This investigation required us to evaluate several different aspects. This is an instance where we really had to do our due diligence."

    Yet the complexity of the problem isn't necessarily an adequate reason for the delay.

    more [here]
    I've gone too far and need to move on!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •