[THIN] New Microsoft Vulnerability!

• From: "Jim Kenzig http://thethin.net" <jimkenz@xxxxxxxxxxxxxx>
• To: <thin@xxxxxxxxxxxxx>, <windows2000@xxxxxxxxxxxxx>,<msexchange@xxxxxxxxxxxxx>
• Date: Wed, 11 Feb 2004 14:22:31 -0500

 Just came down from Watchguard...get patching!
JK

Cc:

Subject:  FW: LiveSecurity | Urgent: Windows .DLL Buffer Overflows
Sent:  2/11/2004 2:05 PM
 Importance:  Normal


-----Original Message-----
From: WatchGuard LiveSecurity
To: RSTROUP
Sent: 2/10/2004 11:14 PM
Subject: LiveSecurity | Urgent: Windows .DLL Buffer Overflows




<http://tailorednews.com/WatchGuard/LiveSecurity/Images/newLSSbcastHeadu
rgent.gif>




  <http://tailorednews.com/watchguard/renewal/images/sysadmin.gif>




  <http://tailoredmail.com/images/space.gif>
<http://tailoredmail.com/images/space.gif>
<http://tailoredmail.com/images/space.gif>
  <http://tailoredmail.com/images/space.gif>    WatchGuard Hardware
Warranty Extension        <http://tailoredmail.com/images/space.gif>
  <http://tailoredmail.com/images/space.gif>    Safeguard your security
solution investment.
 <http://www.watchguard.com/products/warranty.asp> Learn more
<http://tailoredmail.com/images/space.gif>
  <http://tailoredmail.com/images/space.gif>
<http://tailoredmail.com/images/space.gif>
<http://tailoredmail.com/images/space.gif>

BM_8715

Buffer Overflows in Default Library Affects All Versions of Windows



Severity: Medium



10 February, 2004



Summary:



Today, a Microsoft Security Bulletin described several new buffer
overflow vulnerabilities in the ASN.1 Dynamic Link Library included with
Windows machines. An attacker could exploit these buffer overflows to
execute code with SYSTEM privileges and gain total control of your
Windows machines. If you use Windows in your network you should
download, test, and deploy Microsoft's patch as soon as possible.



Exposure:



Abstract Syntax Notation 1 (ASN.1) is a standard language used to define
how two dissimilar network systems should send data to one another. As
Microsoft states in their alert, "[ASN.1] is simply a language for
defining standards." Microsoft Windows ships with a special ASN.1
Dynamic Link Library (DLL)
<http://www.watchguard.com/glossary/d.asp#dll>  called "msasn1.dll".

Unfortunately, Microsoft's advisory
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secu
rity/bulletin/ms04-007.asp>  describes several new buffer overflow
<http://www.watchguard.com/glossary/b.asp#buffer_overflow>
vulnerabilities in their ASN.1 DLL. Since many applications use
Microsoft's ASN.l DLL, attackers could exploit these vulnerabilities in
many ways. MIcrosoft's advisory claims, "an attacker would have to have
direct access to the user's network [in order to exploit these
vulnerabilities]." However, according to the original discoverer of
these flaws, eEye Digital Security, attackers could exploit these flaws
via Kerberos, NTLMv2 authentication, or even through applications that
make use of certificates like Internet Explorer. Regardless of the
attack vector, hackers exploiting these buffer overflows could execute
code on your Windows systems with full SYSTEM privileges. In other
words, they could gain total control of your Windows machines.



Solution Path:



Microsoft has released a patch that corrects these buffer overflow
vulnerabilities. If you use Windows, we recommend that you download,
test and deploy the corresponding patches as soon as possible.

*       Windows NT Workstation 4.0
<http://www.microsoft.com/downloads/details.aspx?FamilyId=92400199-B3D5-4826
-98D4-F134849F5249&displaylang=en>

*       Windows NT Server 4.0
<http://www.microsoft.com/downloads/details.aspx?FamilyId=E8315430-90CD-4B20
-8F54-58527932B588&displaylang=en>

*       Windows NT Server 4.0 Terminal Server Edition
<http://www.microsoft.com/downloads/details.aspx?FamilyId=D83B39D3-FF13-4D0B
-B406-A225AED0D659&displaylang=en>

*       Windows 2000
<http://www.microsoft.com/downloads/details.aspx?FamilyId=191853C4-A4D2-4797
-A8C6-A2E663A53698&displaylang=en>

*       Windows XP
<http://www.microsoft.com/downloads/details.aspx?FamilyId=0CC30297-D4AE-48E9
-ACD0-1343D89CCBBA&displaylang=en>

*       Windows XP 64-Bit Edition
<http://www.microsoft.com/downloads/details.aspx?FamilyId=383C397F-9318-4AD5
-9C2C-0577118A1E68&displaylang=en>

*       Windows XP 64-Bit Edition Version 2003
<http://www.microsoft.com/downloads/details.aspx?FamilyId=FA280168-66E1-4B5F
-958F-E178C3F61F7C&displaylang=en>

*       Windows Server 2003
<http://www.microsoft.com/downloads/details.aspx?FamilyId=3D7FFFF9-A497-42FF
-90E7-283732B2E117&displaylang=en>

*       Windows Server 2003 64-Bit Edition
<http://www.microsoft.com/downloads/details.aspx?FamilyId=FA280168-66E1-4B5F
-958F-E178C3F61F7C&displaylang=en>



For WatchGuard SOHO, Firebox, and Vclass Users:



Since hackers might deliver this attack in several different ways,
possibly including a malicious Web page, the patches above are your best
countermeasure.



Status:



Patches are available.



References:



Microsoft Security Bulletin MS04-007
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security
/bulletin/ms04-007.asp>

eEye Digital Security's ASN.1 Bulletins

*       Microsoft ASN.1 Library Bit String Heap Corruption
<http://www.eeye.com/html/Research/Advisories/AD20040210-2.html>
*       Microsoft ASN.1 Library Length Overflow Heap Corruption
<http://www.eeye.com/html/Research/Advisories/AD20040210.html>



This alert was researched and written by Corey Nachreiner.

  _____

What did you think of this alert? Let us know at
lsseditor@xxxxxxxxxxxxxx
<mailto:lsseditor@xxxxxxxxxxxxxx?subject=ASN.1%20Alert> .

More alerts and articles: log into the LiveSecurity Archive
<https://www3.watchguard.com/archive/broadcasts.asp> .

Need help with the jargon? Try the LiveSecurity Online Glossary.
<http://www.watchguard.com/glossary/>






  _____


  _____

NOTE:
This e-mail was sent from an unattended mailbox. Please do not reply.
ABOUT Questiva/TailoredMail:
WatchGuard has contracted with Questiva/TailoredMail, an industry
leading vendor of trusted email services, to send these emails and
maintain a record of your preferences confidentially. Personal
information about you is not sold or rented to Questiva/TailoredMail or
to other companies. Both WatchGuard and Questiva/TailoredMail are fully
committed to your privacy, as detailed in WatchGuard's
<http://www.watchguard.com/about/privacy.asp> privacy policy.

TO UNSUBSCRIBE:
You received this e-mail because you subscribed to the WatchGuard
LiveSecurity Service, which advises about virus alerts, security best
practices, new hacking exploits, and more. If you no longer wish to be
advised of these things, please let us know.
On the Web:  <https://www.watchguard.com/archive/preferences.asp>
Unsubscribe (credentials required)
By Email:
<mailto:supportid@xxxxxxxxxxxxxx?subject=Unsubscribe%20Request>
Unsubscribe



No express or implied warranties are provided for herein.  All
specifications are subject to change and any expected future products,
features or functionality will be provided on an if and when available
basis.

Copyright 2004 WatchGuard Technologies, Incorporated. All Rights
Reserved. WatchGuard, LiveSecurity and Firebox, and any other word
listed as a trademark in the "Terms of Use" portion of the WatchGuard
Web site that is used herein, are registered trademarks or trademarks of
WatchGuard Technologies, Inc. in the United States and/or other
countries. All other trademarks are the property of their respective
owners. You may not modify, reproduce, republish, post, transmit, or
distribute this content except as expressly permitted in writing by
WatchGuard Technologies, Inc.




  <http://tailoredmail.com/images/space.gif>
<http://tailoredmail.com/images/space.gif>
  <http://tailoredmail.com/images/space.gif>
  <http://tailoredmail.com/images/space.gif>    Copyright © 1996 - 2004
WatchGuard Technologies, Inc.
All rights reserved.    |      <http://www.watchguard.com/legal.asp>
Terms of Use
Postal Unsubscribe: LiveSecurity Unsubscribe, 505 Fifth Avenue South,
Suite 500, Seattle, WA 98104
  <http://tailoredmail.com/images/space.gif>
<http://tailoredmail.com/images/space.gif>



********************************************************
This Week's Sponsor - RTO Software / TScale
What's keeping you from getting more from your terminal servers? Did you
know, in most cases, CPU Utilization IS NOT the single biggest
constraint to scaling up?! Get this free white paper to understand the
real constraints & how to overcome them. SAVE MONEY by scaling-up rather
than buying more servers.
http://www.rtosoft.com/Enter.asp?ID=147
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts:

• » [THIN] New Microsoft Vulnerability!

1. Home
2. thin
3. Archive
4. 02-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---