Late yesterday, Microsoft issued its planned monthly set of security updates, but this month the updates are more serious and controversial than usual. One of the fixes, rated as critical, applies to "an extremely deep and pervasive technology in Windows" that attackers can compromise to take over PCs, but the flaw was discovered 7 months ago and fixed only this week. Security experts describe the flaw as one of the most devastating ever, and Microsoft recommends that all users download and install the patch for this problem as soon as possible. The timing couldn't be worse for the company: Microsoft Chairman and Chief Software Architect Bill Gates recently alleged that Windows is more secure than any OS alternatives because the system has been so thoroughly tested in the real world through constant attacks; Gates will also keynote an upcoming industry security event in San Francisco. So why did Microsoft take so long to fix the flaw, leaving Windows users open to potentially devastating electronic attacks? "This is one of the most serious Microsoft vulnerabilities ever released," Marc Maiffret, chief hacking officer and cofounder of eEye Digital Security, the company that discovered two of the Windows flaws Microsoft revealed this week, said. "The breadth of systems affected is probably the largest ever. This is something that will let you get into Internet servers, internal networks--pretty much any system." Alarmingly, eEye discovered the flaws last July and agreed to keep quiet until Microsoft could fix them. But Maiffret described the lag time between eEye's discoveries and Microsoft's fixes as "totally unacceptable." Microsoft defends the whopping 7 months it took to fix the flaws as necessary because the company needed to ensure that a patch to such central Windows components didn't break software or cause other problems. "We really took the steps to make sure our investigation was as broad and deep as possible," Microsoft Security Program Manager Stephen Toulouse said. The critical security flaw exists in a Windows component called the ASN.1 library, which interacts with multiple Windows features, including file sharing and digital certificates. The flaw affects every Windows version from Windows NT 4.0 to Windows Server 2003, and includes all desktop and server variants of these systems. Interestingly, attackers can compromise the flaw with a simple buffer-overrun attack, a common type of attack that Microsoft has wrestled with since its Trustworthy Computing code review 2 years ago. Both XP Service Pack 2 (SP2), due midyear, and Windows 2003 SP1, due in late 2004, will include new memory-protection features designed to thwart most buffer-overrun attacks. You can learn more about the patch on the Microsoft Web site, but Windows users should use Automatic Updates or Windows Update to download and install each of the security patches Microsoft issued this month.
End of Article
Nice article.. gives the exact position where Microsoft is really now!!!!!
Paul quotes CNET on his Internet Nexus website, regarding a security problem that Apple fixed in under a week: "Apple doesn't have a security-policy or support-lifecycle statement on its Web site, unlike operating-system rivals such as Red Hat and Microsoft. In addition, Apple took three days to even respond to the issue...". Regarding this, Paul chortled: "Embarassing? Yep. Stupid? Oh yeah."
Oh my. Three whole days? Yet Microsoft can take 200 days to fix a flaw described as "one of the most devastating ever", and they're still a paragon of security. Does their "security policy statement" indicate that they'll take over half a year to fix known security holes? I must have missed that section. 200 days, folks. THAT is "embarassing" and "stupid".
But just wait, folks. Microsoft is working on the problem, beacuse they "Take Security Seriously (TM)". "Windows Server 2003 Service Pack 1 (SP2), due in late 2004, will include new memory protection features designed to thwart most buffer overrun attacks."
Yeah. It'll fix everything, I'm sure. Give me a break.
Editor's note: It's astonishing to me that you think I somehow "back" Microsoft. I think this situation is ridiculous. I'm not defending Microsoft on this at all. --Paul
Wendy Rebecca February 11, 2004
Paul, just get a Mac and run Mac OS X already! Number of Mac OS X viruses = 0 (ZERO). You Wintel Sufferers are gluttons for punishment, aren't you? It doesn't have to be this way.
Editor's note: I have two Macs, actually. But I prefer Windows because it's faster, more compatible with both hardware and software, the hardware is much cheaper, and is more versatile. --Paul
John February 11, 2004
On the surface it seems like "Scary Stuff". It is probably better that the 'deep' patch was thoroughly tested than have something 'half-baked' released that would screw things up. Writing software can be quite a labourious process and getting heads around complicated code can get almost exponentially difficult the more that is involved.
Remove the .Blue to reply by email.
Stephen February 11, 2004
I have comment-fatigue on this issue... It never, ever, ends...
Scott D February 11, 2004
This article sounds like an article written by someone who don't have anything to write about. They fixed the damn thing so get over it. Move on
Sam Jones February 12, 2004
If you go to Cert, you will find that ASN.1 vulnerabilities hit every OS possible, including Apple OS X, via OpenSSL which ships on most OS's these days, including Cisco routers.
http://www.securityfocus.com/bid/8732/info/
Bruce February 12, 2004
Actually the worst thing you can do is use Microsoft's "Automatic Update Service."
1) Some of the patchs contain changes to the Windows EULA which take away some of the original rights you were given, and increase Microsoft's rights.
2) Microsoft has had many problems with patches, i.e. systems stop working, software is now broken, etc.
I run 3 Win98, 1 Win95, and one WinXP computer at home. None are patched, all are extremly secure. There are five simple steps to secure a Windows computer.
1) Install another browser such as Mozilla. Never use IE. If you can uninstall IE (Win98 and later will not allow this thought there are third party tools which will help you do it)
2) Install another email client (and uninstall Outlook Express). Mozilla has a decent email client.
3) Install a hardware firewall - Linksys makes excellant units.
4) Install Zonealarm (Especially on WinXP computers). When you set it up if any program trys to access the net AND YOU DIDN"T START IT tell Zonealarm to block it. Zonealarm is free for personal use.
5) Install OpenOffice, StarOffice, or Easy Office instead of Microsoft Office. All are more secure than the Microsoft Product, and far cheaper. You can pay for the router and extra network cabling from the savings.
Wayne
Wayne February 12, 2004
"Microsoft Chairman and Chief Software Architect Bill Gates recently alleged that Windows is more secure than any OS alternatives because the system has been so thoroughly tested in the real world through constant attacks;"
Nice one Bill! I assume the testing is still ongoing then?
"So why did Microsoft take so long to fix the flaw, leaving Windows users open to potentially devastating electronic attacks?"
Perhaps because the flaw touched very large portions of Windows, and perhaps other Microsoft apps. It would take some time to figure out what needed to be changed, and then to test it and make sure nothing bad happened. Windows is so modular you know?
"The breadth of systems affected is probably the largest ever. This is something that will let you get into Internet servers, internal networks--pretty much any system."
Nice one. So all of that security in Windows can be bypassed completely? Nice to know. This seems to go right to the heart of Windows here as well.
"Microsoft defends the whopping 7 months it took to fix the flaws as necessary because the company needed to ensure that a patch to such central Windows components didn't break software or cause other problems."
I believe them here. This seemed to affect a lot of things.
"Interestingly, attackers can compromise the flaw with a simple buffer-overrun attack, a common type of attack that Microsoft has wrestled with since its Trustworthy Computing code review 2 years ago."
Nothing is immune to buffer-overuns, but it seems that someone can always get to the vital parts of the Windows system with these attacks.
"Both XP Service Pack 2 (SP2), due midyear, and Windows 2003 SP1, due in late 2004, will include new memory-protection features designed to thwart most buffer-overrun attacks."
Sounds rather like chroot. Nice one.
David February 15, 2004
If you go to http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/Bulletin/MS04-007.asp and expand "Security Update Information", and then expand the areas underneath that, you'll find dates on the dlls for different platforms.
Windows 2003 - Oct 23 Windows 2003 64 - Oct 23 Windows XP - Sep 19 Windows XP 64 - Oct 23 Windows 2000 - Sep 19 Windows NT - Sep 21
It looks to me like Microsoft had the patches written in short order, but then wanted to do extensive regression testing against everything that uses msasn1.dll.
Toby Ovod-Everett February 18, 2004
You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor?
Register now
An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...
Let Your Users Reset Their Own Passwords: Free Download Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.
Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!
Deep Dive into VMware vSphere, eLearning Series Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Register
RamKumar February 11, 2004