It’s happening again. A major security vulnerability in Microsoft’s Windows operating system has security experts concerned about widespread attacks even though Microsoft has issued a patch for the problem — this time a security vulnerability in the widely used Abstract Syntax Notation (ASN.1) protocol.
Microsoft, which rated the vulnerability critical, said that by exploiting an unchecked buffer in the Microsoft ASN.1 Library, an attacker could gain complete control of a computer and take action that includes installing programs, changing or deleting data, and creating new user accounts with administrative privileges.
Microsoft has made a patch available for the flaw and pointed out that there are several potentially mitigating factors — such as the need for network access by an attacker — to make the vulnerability readily exploitable. However, security experts likened the flaw to the Remote Procedure Call (RPC) gap that facilitated the MS Blaster worm last year and warned that because of its wide use in a variety of servers, the ASN issue could be devastating.
“The ASN vulnerability has the potential to be perhaps one of the most widely exploited vulnerabilities in the history of computing — and I don’t say that lightly,” iDefense director of malicious code Ken Dunham told TechNewsWorld. “Why we’re so concerned is because ASN is so integrated into everything. It’s a widely used and relied-upon syntax notation in the Windows environment.”
The ASN vulnerability — reported by eEye Digital Security and addressed this week with Microsoft’s monthly security updates — affects all Windows operating systems newer than Windows 98, including NT, 2000, XP and Server 2003. The basic, widely used ASN language is the basis of data communication across various platforms.
Gartner research vice president Richard Stiennon said the security hole is most likely to affect servers, such as Microsoft Internet Information Services (IIS) machines, and might result in a server-spreading worm similar to Code Red or Nimda.
“ASN.1 exposes vulnerable IIS servers over Secure Sockets Layer, so that’s a big problem,” Stiennon told TechNewsWorld. “There are tens of thousands of affected servers, and all your e-commerce sites are doing it, so you could have a worm spread among them. Anybody beyond Windows 98 who browses an infected server could be infected that way. That could be very Nimda-like.”
Stiennon, who correctly predicted the MS Blaster worm after the RPC vulnerability was disclosed, said there definitely will be a worm for the ASN hole and estimated it will emerge within a few weeks.
Exploits and Advantages
Indeed, iDefense’s Dunham reported that his company has tested and validated two exploits for the issue and said the vulnerability disclosure and subsequent discussion of it by underground groups followed a pattern similar to what led up to the Blaster and Code Red outbreaks.
Stiennon said there might be additional mitigating factors this time, however, adding that the Internet is “a lot less porous than it was last year when we saw Blaster.”
“This is very esoteric protocol for Microsoft, so not a lot of people are familiar with it,” Stiennon said of ASN. “And we’ve got an advantage from Slammer and MS Blaster, since a lot of organizations have fixed their firewalls and are blocking everything they should be.”
Delays and Dark Days
Still, Stiennon — who said the flaw is the price Microsoft pays for “making protocols willy nilly just to get the job done” — indicated the software giant should have responded more quickly to the widespread vulnerability that took eight months to address after discovery by eEye.
“That’s way too long,” he said. “Now you’re depending on a vulnerability not getting out. There’s just too much opportunity for leakage. There’s no question they have to be faster.”
Dunham said that with the recent MyDoom virus and its variants — which are unrelated to the ASN hole — as well as the integration of spamming tactics in computer worms, computer users are facing hard times.
“There’s going to be a lot of noisy code coming out and hitting people left and right,” Dunham said. “There is going to be nagging issues and lots of worms.”