Microsoft recently released a patch for problems with ASN.1 in its Windows operating systems. The patch took roughly half a year for Microsoft to test and release, which was probably due to the seriousness and wide-ranging affects of the problem – e.g. the company wanted to make sure the patch was stable.
The ASN.1 problem was discovered by researchers at eEye Digital Security, and it's not the only problem they've discovered that will be patched by Microsoft. At least seven more security patches on the horizon for Windows platforms.
According to eEye's research Web, the company has discovered and reported to Microsoft seven other high and medium level security problems. The most recent problem was reported February 9, 2004 and the earliest was reported September 10, 2003.
According to eEye the problems include four exploits that could allow local or remote intruders to gain access to a Windows operating system under the context of the System account; one exploit that would allow denial of service attacks that could cause a system to completely fail; and two exploits that can allow arbitrary code to execute. In an effort to protect the public at large eEye made no precise details of these problems available other than the general descriptions summarized above.
As is usually the case, Microsoft has made no comments regarding when patches for these particular problems might become available, however we can safely assume that the company is working on solutions.
And we are to assume this is accecptable? I am past the point of being shocked OR ammuzed.
[Cumulative Security Update for Windows NT 4.0]
I realize that Microsoft has repeatedly stated in
the past that they will not produce a new Service
Pack (SP7) for Windows NT 4.0 but does anyone else
believe it is time for Microsoft to refresh one or
both of the following updates?
WinNT 4.0 Service Pack 6a (SP6a)
Post-WinNT 4.0 SP6a Security Rollup Package (299444)
WinNT 4.x SP6a dates back to 1999:
http://www.microsoft.com/ntserver/ProductInfo/Bulletins/Sp6Mktbulletin.asp
http://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/
The most recent cumulative update for WinNT 4.x
is dated July 26, 2001 [2001-07-26]:
299444 - Post-Windows NT 4.0 Service Pack 6a Security Rollup Package (SRP)
http://support.microsoft.com/default.aspx?scid=kb;en-us;299444
http://www.microsoft.com/ntserver/nts/downloads/critical/q299444/
If you are manually upgrading Win NT4.0 machines using ‘ IE/Windows Update’ beware that the ASN.1 Patch (KB82028) is not obvious. It does not show up in Critical Updates unless (KB823182)is already installed.
On the 15 machines that I have patched so far I had to first explicitly select the (KB823182) patch before the ASN.1 Patch (KB82028) showed up as a Critical Update. The (KB823182) is not (by default) selected as a Critical Update and must be installed separately.
To verify if the ANS.1 Patch has been installed check the WinNT folder for a folder labeled “$NtUninstallKB828028$”.
This only happened on the WinNT 4.0 machines that I updated.
Register
