[ccc-virusalert] latest microsoft vulnerability

  • From: Jarrod Wilkes <jarrod@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
  • To: ccc-virusalert@xxxxxxxxxxxxx
  • Date: Tue, 10 Feb 2004 21:26:54 -0500

"This is one of the most serious Microsoft vulnerabilities ever 
released," -Marc Maiffret, Chief Hacking Officer(CHO) of eEye Digital 
Security Inc.
"This one is REAL bad," -Me.

That being said, here's some articles:
 From microsoft:

 From eEye(the company that found the exploit and told Microsoft over 6 
mths ago(July 25th):

 From AP(Associated Press):

What this means:
MSASN1.DLL(Abstract Syntax Notation - a way to understand data syntax 
across different systems) has a several vulnerabilities that would allow 
an attacker to overwrite heap memory via integer overflows(very bad) on 
a susceptible machine and execute arbitrary code. This file is used 
widely by several windows services, and most windows security 
subsystems. Kerberos(email/password authentication), NTLMv2 
authentication, and any applications(Internet Explorer, Microsoft 
Outlook and Outlook Express, Third-party applications) that use 
certificates(SSL, signed e-mail, ActiveX) are all vulnerable.

What this means(IN ENGLISH):
Any computer running Windows NT, 2000, or XP can be silently overtaken 
by an attacker. The attacker can run programs, view, copy, and edit 
files, basically do whatever they want with ease. This means that your 
Bank, your CC company, your Medical/Dental records, your companys data, 
etc, or any computer connected to the internet, can be overtaken. I'm 
sure you can think of a few more bad things that can happen.

The BAD news:
eEye.com , who warned microsoft back in July, promised not to speak 
about the exploit until microsoft had a fix. Unfortunately, eEye was 
informed last week that someone in a foreign country had also discoved 
the security hole. They, eEye, pressured microsoft, and the fix was 
released about 2 hrs ago. Marc Maiffret, from eEye, estimates that we 
have 1 to 3 weeks before a worm is released, maybe less. This network 
worm will wind its way through the internet, and turn unpatched 
computers into its playthings. Any computer connected to the net is 
vulnerable. You don't need to be checking email or surfing, and us users 
of alternative browsers, like Mozilla, are still vulnerable.

The GOOD news:
The patch is out. Go, right NOW and download it from:
You need to be using Internet Explorer to download the patch. It will 
take you less than 1 min. even using dial-up. Also good news, is that 
all the system/network admins of all the major places(banks, medical, 
telcomm), if they're smart, will patch all affected computers 
tomorrow(Wednesday). This should lessen impact, but all home users 
should patch immediately to avoid their data being compromised, and 
their computer being used as an attacker against others.

In a side note, my Inbox has been getting deluged with viruii. My Norton 
Antivirus deletes them before they get in my inbox. This is not the 
MyDoom.A/B or MyDoom.Juice viruii that I wrote about last week. I turned 
off my virus scanner(not for the faint of heart) to examine what they 
were, and discovered it was an "official" looking email from microsoft 
with an attachment containing the latest security patch. Let me 
reiterate some points:
1. Don't open attachments
2. Microsoft will never send you any patch. They probably don't have 
your email anyway. Download patches from the site: 

So, patch your system(s). And all you network admins, if you have an 
IDS(Intrusion Detection System), which you should, look for rule updates 
within the next few days, if not already.


Other related posts:

  • » [ccc-virusalert] latest microsoft vulnerability