[LINK] Microsoft warns of 'critical' flaw in Windows
Chirgwin, Richard
Richard.Chirgwin at informa.com.au
Thu Feb 12 08:38:09 EST 2004
The trashwires have snafud this story and the stuffup flows onto who
syndicates ...
Reuters, in the piece picked up by the ABC, didn't mention the source of the
vuln, which is our very, very old friend ASN.1. This is, I guess, critical
vulnerability number five to flow from the language (SNMP, the general ASN.1
alert a year or so back, OpenSSL, and VoIP within the last month). AAP
called it a brand-new technology which is flattering for something which had
existed so long it was made an ITU standard in 1993!
So I guess to a small degree I have to say "it ain't just Microsoft". This
stuff is everywhere: the telecommunications network, routers, switches, IP
phones, mobiles - a list as long as your imagination!
So much for the MS defence side of the argument. The general alert of ASN.1
problems was issued in 2002. Since then, the game has been to find out who's
using ASN libraries and where, and work out whether the implementation is
vulnerable.
Which brings me to MS. The libraries were there and the alert existed - but
it took an external security researcher (eEye) to force Redmond's hand. So
it's legitimate to ask why Microsoft left its ASN.1 libraries alone between
February 2002 and some time in the second half of 2003.
eEye doesn't shine, IMO, either. The ASN.1 vulnerability game frankly means
"free ice cream" to security researchers: find a library, crack the library,
notify the vendor and hey presto, publicity, credibility and sales
collateral. If the vulnerability were critical and known to be critical,
then it should have been disclosed. After all: it's a fair assumption that
the intelligent & nasty crackers (both of them! :-)) are tramping the same
forest.
Finally: because this is an 'inherited' vulnerability, we should not be too
open-source-smug on this vuln. A smattering of open source projects which
have to deal with ASN.1:
- Linux (has libraries)
- OpenSSL
- Apache (uses ASN.1 for directory data definitions)
- various GNU projects.
The vulnerability, as I understand it, is not intrinsic to the language, but
rather has to do with how the language is compiled into the target system.
But anyone nearby to an ASN.1 interpreter should be throwing rocks at it to
see what cracks...
Richard Chirgwin
More information about the Link
mailing list