News Stay informed about the latest enterprise technology news and product updates.

Patching ASN.1 no quick call

A recent poll found many security managers and administrators didn't immediately apply a patch for the ASN.1 parser library vulnerability despite warnings that the flaw is one of the worse in Windows history.

Despite being billed as one of the worst flaws ever found in Windows software, many security managers and administrators...

didn't immediately apply a patch for the ASN.1 parser library vulnerability, according to a recent minipoll.

Forty percent of respondents planned to test the patch prior to applying it, while another 12% planned to apply it on a routine schedule, according to the poll, which drew 138 responses immediately following news of the vulnerability.

Interestingly, Microsoft said it took 200 days before releasing the patch to make sure it didn't break other applications. That only 43% of those polled planned to immediately apply the patch indicates internal QA remains a critical component of an enterprise's patch management system -- regardless of how well tested it is by the software maker.

Given that patch pattern, it's no wonder that 77% said the delay wasn't warranted, according to the poll results.

This vulnerability is caused by integer overflows and other flaws in integer arithmetic in the ASN.1 parser library in Microsoft Windows NT 4.0, 4.0 TSE, 2000, XP and Server 2003. It can permit an unauthenticated remote attacker to execute arbitrary code with system privileges. According to the Computer Emergency Response Team (CERT), any application that loads the ASN.1 library -- including a number of cryptographic and authentication services -- could serve as an attack vector.

Exploit code began circulating less than a week after the patch was released, justifying the beliefs of one-third of poll respondents who said it would happen within days of the patch. An additional 39% said exploit code would begin circulating within a few weeks, but 18% said it was circulating prior to the release of the patch, which took Microsoft more than a half year to produce.

In other Microsoft news, leaked source code may be to blame for an Internet Explorer vulnerability announced to the Bugtraq security mailing list. However, experts say the "new" vulnerability was fixed by a patch long ago.

"This is a real vulnerability in old versions of IE5, but was fixed years ago," said Thor Larholm, a senior security researcher at Newport Beach, Calif.-based PivX Solutions.

"I believe that (the leaked source code) will cause a period of insecurity with a hoard of vulnerabilities, followed by a hardened OS as a result of vulnerabilities being exposed," said Larholm. "The weeks to come will show whether there are any vulnerabilities left that are still exploitable, or if Microsoft did a thorough job in its Trustworthy Computing initiative."

Dig Deeper on Microsoft Patch Tuesday and patch management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.