[LINK] Microsoft warns of 'critical' flaw in Windows

Howard Lowndes lannet at lannet.com.au
Thu Feb 12 09:20:56 EST 2004 

These particular libraries may not be copyright, I don't know their
status, but under the US DCMA (soon to be adopted by AU as part of the
(less than) FTA) I guess disclosure of such vulns might be breach of
copyright.

So much for security.

On Thu, 2004-02-12 at 08:38, Chirgwin, Richard wrote:
> The trashwires have snafud this story and the stuffup flows onto who
> syndicates ... 
> 
> Reuters, in the piece picked up by the ABC, didn't mention the source of the
> vuln, which is our very, very old friend ASN.1. This is, I guess, critical
> vulnerability number five to flow from the language (SNMP, the general ASN.1
> alert a year or so back, OpenSSL, and VoIP within the last month). AAP
> called it a brand-new technology which is flattering for something which had
> existed so long it was made an ITU standard in 1993!
> 
> So I guess to a small degree I have to say "it ain't just Microsoft". This
> stuff is everywhere: the telecommunications network, routers, switches, IP
> phones, mobiles - a list as long as your imagination!
> 
> So much for the MS defence side of the argument. The general alert of ASN.1
> problems was issued in 2002. Since then, the game has been to find out who's
> using ASN libraries and where, and work out whether the implementation is
> vulnerable. 
> 
> Which brings me to MS. The libraries were there and the alert existed - but
> it took an external security researcher (eEye) to force Redmond's hand. So
> it's legitimate to ask why Microsoft left its ASN.1 libraries alone between
> February 2002 and some time in the second half of 2003.
> 
> eEye doesn't shine, IMO, either. The ASN.1 vulnerability game frankly means
> "free ice cream" to security researchers: find a library, crack the library,
> notify the vendor and hey presto, publicity, credibility and sales
> collateral. If the vulnerability were critical and known to be critical,
> then it should have been disclosed. After all: it's a fair assumption that
> the intelligent & nasty crackers (both of them! :-)) are tramping the same
> forest.
> 
> Finally: because this is an 'inherited' vulnerability, we should not be too
> open-source-smug on this vuln. A smattering of open source projects which
> have to deal with ASN.1:
> - Linux (has libraries)
> - OpenSSL
> - Apache (uses ASN.1 for directory data definitions)
> - various GNU projects.
> 
> The vulnerability, as I understand it, is not intrinsic to the language, but
> rather has to do with how the language is compiled into the target system.
> But anyone nearby to an ASN.1 interpreter should be throwing rocks at it to
> see what cracks...
> 
> Richard Chirgwin
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link
-- 
Howard.
LANNet Computing Associates - Your Linux people <http://www.lannetlinux.com>
------------------------------------------
Flatter government, not fatter government - Get rid of the Australian states.
------------------------------------------
To mess up a Linux box, you need to work at it;
to mess up your Windows box, you just need to work on it.
 - Scott Granneman, SecurityFocus

More information about the Link mailing list