Enterprises are scrambling to patch their systems in the wake of Microsoft Corp.'s vulnerability blitz Tuesday that revealed a critical flaw affecting multiple Windows operating systems. The vulnerability can permit an unauthenticated, remote attacker to execute arbitrary code with system privileges.
"It's the biggest Microsoft flaw we've found -- maybe the biggest ever found," said Marc Maiffret, chief hacking officer at Aliso Viejo, Calif.-based eEye Digital Security, which discovered the flaw. "Because it's in a shared component, it has multiple avenues for attacks -- everything from file sharing to IPSec."
According to Maiffret, the ASN.1 flaw was reported to Microsoft 200 days before the patch was released.
A Microsoft spokesperson responded to the large time lapse with this statement: "Security response requires a delicate balance of speed and quality. This investigation required us to evaluate several aspects and instances of this pervasive functionality in order for our engineers to create a comprehensive and high quality fix. This was an instance in which due diligence required us to very carefully evaluate the broadest possible implications of a single anomaly reported to us."
In this instance, integer overflows and other flaws in integer arithmetic cause a vulnerability in the ASN.1 parser library in Microsoft Windows NT 4.0, 4.0 TSE, 2000, XP and Server 2003. According to the Computer Emergency Response Team (CERT), any application that loads the ASN.1 library could serve as an attack vector.
"In particular, ASN.1 is used by a number of cryptographic and authentication services such as digital certificates (x.509), Kerberos, NTLMv2, SSL and TLS," according to the CERT advisory. "Both client and server systems are affected. The Local Security Authority Subsystem (lsass.exe) and a component of the CryptoAPI (crypt32.dll) use the vulnerable ASN.1 library."
Experts believe an exploit is just around the corner.
"This Microsoft ASN.1 library vulnerability appears to have as much destructive potential as [the worm] Blaster and has more attack vectors," said Scott Blake, vice president of information security at Houston-based BindView Corp. "We believe attacks will be conducted remotely over the Internet, via e-mail and by browsing Web pages. We expect to see rapid exploitation -- it's simply a case of when it materializes."
Experts recommend immediately patching vulnerable systems.
"MSO4-007 is a crucial patch to apply, and it should be applied as soon as possible because it handles a vulnerability in our most trusted sub-systems: authentication, encryption/decryption and digital certificate handling," said Russ Cooper, TruSecure's surgeon general and editor of the NTBugtraq security mailing list. "Administrators should concentrate on their most critical network security infrastructure, such as domain controllers, Exchange servers, VPNs or firewalls, and worry about desktops and file/print servers later.
"It's important to realize that there are, potentially, hundreds of vectors through which this vulnerability could be exploited, such as a personal firewall, e-mail client or even antivirus software," added Cooper. "However, since the vulnerability is in the underlying OS, a single patch should be sufficient to close all of those exploit opportunities."
But one of Cooper's TruSecure colleagues questions the urgency.
"It's a system-level vulnerability and it needs to be fixed, but the world as we know it is not on the verge of coming to an end," said David Kennedy, director of research services at TruSecure. "When three-fourths of security guru's have to read an FAQ on ASN.1 and finish off at least one Mountain Dew before tackling the details, it suggests to me the malefactors will go after lower hanging fruit."