Just came down from Watchguard...get patching! JK Cc: Subject: FW: LiveSecurity | Urgent: Windows .DLL Buffer Overflows Sent: 2/11/2004 2:05 PM Importance: Normal -----Original Message----- From: WatchGuard LiveSecurity To: RSTROUP Sent: 2/10/2004 11:14 PM Subject: LiveSecurity | Urgent: Windows .DLL Buffer Overflows <http://tailorednews.com/WatchGuard/LiveSecurity/Images/newLSSbcastHeadu rgent.gif> <http://tailorednews.com/watchguard/renewal/images/sysadmin.gif> <http://tailoredmail.com/images/space.gif> <http://tailoredmail.com/images/space.gif> <http://tailoredmail.com/images/space.gif> <http://tailoredmail.com/images/space.gif> WatchGuard Hardware Warranty Extension <http://tailoredmail.com/images/space.gif> <http://tailoredmail.com/images/space.gif> Safeguard your security solution investment. <http://www.watchguard.com/products/warranty.asp> Learn more <http://tailoredmail.com/images/space.gif> <http://tailoredmail.com/images/space.gif> <http://tailoredmail.com/images/space.gif> <http://tailoredmail.com/images/space.gif> BM_8715 Buffer Overflows in Default Library Affects All Versions of Windows Severity: Medium 10 February, 2004 Summary: Today, a Microsoft Security Bulletin described several new buffer overflow vulnerabilities in the ASN.1 Dynamic Link Library included with Windows machines. An attacker could exploit these buffer overflows to execute code with SYSTEM privileges and gain total control of your Windows machines. If you use Windows in your network you should download, test, and deploy Microsoft's patch as soon as possible. Exposure: Abstract Syntax Notation 1 (ASN.1) is a standard language used to define how two dissimilar network systems should send data to one another. As Microsoft states in their alert, "[ASN.1] is simply a language for defining standards." Microsoft Windows ships with a special ASN.1 Dynamic Link Library (DLL) <http://www.watchguard.com/glossary/d.asp#dll> called "msasn1.dll". Unfortunately, Microsoft's advisory <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secu rity/bulletin/ms04-007.asp> describes several new buffer overflow <http://www.watchguard.com/glossary/b.asp#buffer_overflow> vulnerabilities in their ASN.1 DLL. Since many applications use Microsoft's ASN.l DLL, attackers could exploit these vulnerabilities in many ways. MIcrosoft's advisory claims, "an attacker would have to have direct access to the user's network [in order to exploit these vulnerabilities]." However, according to the original discoverer of these flaws, eEye Digital Security, attackers could exploit these flaws via Kerberos, NTLMv2 authentication, or even through applications that make use of certificates like Internet Explorer. Regardless of the attack vector, hackers exploiting these buffer overflows could execute code on your Windows systems with full SYSTEM privileges. In other words, they could gain total control of your Windows machines. Solution Path: Microsoft has released a patch that corrects these buffer overflow vulnerabilities. If you use Windows, we recommend that you download, test and deploy the corresponding patches as soon as possible. * Windows NT Workstation 4.0 <http://www.microsoft.com/downloads/details.aspx?FamilyId=92400199-B3D5-4826 -98D4-F134849F5249&displaylang=en> * Windows NT Server 4.0 <http://www.microsoft.com/downloads/details.aspx?FamilyId=E8315430-90CD-4B20 -8F54-58527932B588&displaylang=en> * Windows NT Server 4.0 Terminal Server Edition <http://www.microsoft.com/downloads/details.aspx?FamilyId=D83B39D3-FF13-4D0B -B406-A225AED0D659&displaylang=en> * Windows 2000 <http://www.microsoft.com/downloads/details.aspx?FamilyId=191853C4-A4D2-4797 -A8C6-A2E663A53698&displaylang=en> * Windows XP <http://www.microsoft.com/downloads/details.aspx?FamilyId=0CC30297-D4AE-48E9 -ACD0-1343D89CCBBA&displaylang=en> * Windows XP 64-Bit Edition <http://www.microsoft.com/downloads/details.aspx?FamilyId=383C397F-9318-4AD5 -9C2C-0577118A1E68&displaylang=en> * Windows XP 64-Bit Edition Version 2003 <http://www.microsoft.com/downloads/details.aspx?FamilyId=FA280168-66E1-4B5F -958F-E178C3F61F7C&displaylang=en> * Windows Server 2003 <http://www.microsoft.com/downloads/details.aspx?FamilyId=3D7FFFF9-A497-42FF -90E7-283732B2E117&displaylang=en> * Windows Server 2003 64-Bit Edition <http://www.microsoft.com/downloads/details.aspx?FamilyId=FA280168-66E1-4B5F -958F-E178C3F61F7C&displaylang=en> For WatchGuard SOHO, Firebox, and Vclass Users: Since hackers might deliver this attack in several different ways, possibly including a malicious Web page, the patches above are your best countermeasure. Status: Patches are available. References: Microsoft Security Bulletin MS04-007 <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security /bulletin/ms04-007.asp> eEye Digital Security's ASN.1 Bulletins * Microsoft ASN.1 Library Bit String Heap Corruption <http://www.eeye.com/html/Research/Advisories/AD20040210-2.html> * Microsoft ASN.1 Library Length Overflow Heap Corruption <http://www.eeye.com/html/Research/Advisories/AD20040210.html> This alert was researched and written by Corey Nachreiner. _____ What did you think of this alert? Let us know at lsseditor@xxxxxxxxxxxxxx <mailto:lsseditor@xxxxxxxxxxxxxx?subject=ASN.1%20Alert> . More alerts and articles: log into the LiveSecurity Archive <https://www3.watchguard.com/archive/broadcasts.asp> . Need help with the jargon? Try the LiveSecurity Online Glossary. <http://www.watchguard.com/glossary/> _____ _____ NOTE: This e-mail was sent from an unattended mailbox. Please do not reply. ABOUT Questiva/TailoredMail: WatchGuard has contracted with Questiva/TailoredMail, an industry leading vendor of trusted email services, to send these emails and maintain a record of your preferences confidentially. Personal information about you is not sold or rented to Questiva/TailoredMail or to other companies. Both WatchGuard and Questiva/TailoredMail are fully committed to your privacy, as detailed in WatchGuard's <http://www.watchguard.com/about/privacy.asp> privacy policy. TO UNSUBSCRIBE: You received this e-mail because you subscribed to the WatchGuard LiveSecurity Service, which advises about virus alerts, security best practices, new hacking exploits, and more. If you no longer wish to be advised of these things, please let us know. On the Web: <https://www.watchguard.com/archive/preferences.asp> Unsubscribe (credentials required) By Email: <mailto:supportid@xxxxxxxxxxxxxx?subject=Unsubscribe%20Request> Unsubscribe No express or implied warranties are provided for herein. All specifications are subject to change and any expected future products, features or functionality will be provided on an if and when available basis. Copyright 2004 WatchGuard Technologies, Incorporated. All Rights Reserved. WatchGuard, LiveSecurity and Firebox, and any other word listed as a trademark in the "Terms of Use" portion of the WatchGuard Web site that is used herein, are registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. All other trademarks are the property of their respective owners. You may not modify, reproduce, republish, post, transmit, or distribute this content except as expressly permitted in writing by WatchGuard Technologies, Inc. <http://tailoredmail.com/images/space.gif> <http://tailoredmail.com/images/space.gif> <http://tailoredmail.com/images/space.gif> <http://tailoredmail.com/images/space.gif> Copyright © 1996 - 2004 WatchGuard Technologies, Inc. All rights reserved. | <http://www.watchguard.com/legal.asp> Terms of Use Postal Unsubscribe: LiveSecurity Unsubscribe, 505 Fifth Avenue South, Suite 500, Seattle, WA 98104 <http://tailoredmail.com/images/space.gif> <http://tailoredmail.com/images/space.gif> ******************************************************** This Week's Sponsor - RTO Software / TScale What's keeping you from getting more from your terminal servers? Did you know, in most cases, CPU Utilization IS NOT the single biggest constraint to scaling up?! Get this free white paper to understand the real constraints & how to overcome them. SAVE MONEY by scaling-up rather than buying more servers. http://www.rtosoft.com/Enter.asp?ID=147 ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm