Windows Critical Update

CjkaceBM

Fledgling Freddie
Joined
Jan 25, 2004
Messages
126
Who should read this document: Customers who are using Microsoft® Windows®

Impact of vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Systems administrators should apply the update immediately.

Security Update Replacement: None

Caveats: Windows NT 4.0 (Workstation, Server, and Terminal Server Edition) does not install the affected file by default. This file is installed as part of the MS03-041 Windows NT 4.0 security update and other possible non-security-related hotfixes. If the Windows NT 4.0 security update for MS03-041 is not installed, this may not be a required update. To verify if the affected file is installed, search for the file named Msasn1.dll. If this file is present, this security update is required. Windows Update, Software Update Services, and the Microsoft Security Baseline Analyzer will also correctly detect if this update is required.

Affected Components:

Microsoft ASN.1 Library
The software listed above has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. Please review the Microsoft Support Lifecycle Web site to determine the support lifecycle for your product and version.


Technical Details
A security vulnerability exists in the Microsoft ASN.1 Library that could allow code execution on an affected system. The vulnerability is caused by an unchecked buffer in the Microsoft ASN.1 Library, which could result in a buffer overflow.

An attacker who successfully exploited this buffer overflow vulnerability could execute code with system privileges on an affected system. The attacker could then take any action on the system, including installing programs, viewing data, changing data, deleting data, or creating new accounts with full privileges.

Abstract Syntax Notation 1 (ASN.1) is a data standard that is used by many applications and devices in the technology industry for allowing the normalization and understanding of data across various platforms. More information about ASN.1 can be found in Microsoft Knowledge Base Article 252648.

Mitigating factors:

In the most likely exploitable scenario, an attacker would have to have direct access to the user's network.

Severity Rating:

Microsoft Windows NT 4.0 Critical
Microsoft Windows NT Server 4.0 Terminal Server Edition Critical
Microsoft Windows 2000 Critical
Microsoft Windows XP Critical
Microsoft Windows Server 2003 Critical

The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0818

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS04-007.asp
 

Sharma

Can't get enough of FH
Joined
Dec 22, 2003
Messages
4,679
You know sometimes i think its times like these i wish i had a *nix system or even a mac. :eek7:
 

Kami

Part of the furniture
Joined
Dec 22, 2003
Messages
2,254
LOL Trust me you don't want a mac, especially a G4 servers. I have nightmares with the ones we have at work..

It's like a woman, now and then it just decides to be a bitch, womans right of course :)

Add to that the fact that Apple release just as many OS updates as MS and tend to make more bugs with each release - Then come out with a brand new OS and tell you just to buy it - it'll sort your problems.
 

Hulbur

Fledgling Freddie
Joined
Dec 22, 2003
Messages
16
Well thanks for the heads up anyways.

But as far as i can tell, as long as you got the (sp1) downloaded, you should be in the clear?
 

PJS

Fledgling Freddie
Joined
Jan 16, 2004
Messages
494
if (sizeof(data) > sizeof(buffer)) then error

how hard is it really??? :twak:
 

Roo Stercogburn

Resident Freddy
Joined
Dec 22, 2003
Messages
4,486
The function is easy. Making sure the reference is included at all appropriate points in code that may be tens of thousands of lines long isn't - with modules written by different groups of developers, even if they are using source control things can slip through.

Despite how trendy it is to bash MS and other providers, the coders aren't noobs and developing business level software isn't quite as easy as knowing a couple of lines of code ;)
 

Athan

FH is my second home
Joined
Dec 24, 2003
Messages
1,063
Hulbur said:
Well thanks for the heads up anyways.

But as far as i can tell, as long as you got the (sp1) downloaded, you should be in the clear?
In a word: no. Now go run IE (shudder, but necessary for this) and Tools > Windows Update. Sheesh you should be doing that at least once a week if you've turned off it checking automatically!

-Ath
 

Roo Stercogburn

Resident Freddy
Joined
Dec 22, 2003
Messages
4,486
Yer, from the security bulletins, you need this update even if you've been religious about Windows Updates, whatever version you are running and tbh when I checked my own laptop out (which is always up to date) that critical update was sitting there waiting to be added.
 

yaruar

Can't get enough of FH
Joined
Dec 22, 2003
Messages
2,617
Sharma said:
You know sometimes i think its times like these i wish i had a *nix system or even a mac. :eek7:
Sometimes I wish that the hardware designers of processors and memory architecture made it possible to stop buffer overflows at the hardware level by fencing off memory and not allowing over writes. They are the ones to blame IMO.
 

Anastasia

Can't get enough of FH
Joined
Dec 23, 2003
Messages
274
Roo Stercogburn said:
Despite how trendy it is to bash MS and other providers, the coders aren't noobs and developing business level software isn't quite as easy as knowing a couple of lines of code ;)
true
 

yaruar

Can't get enough of FH
Joined
Dec 22, 2003
Messages
2,617
Roo Stercogburn said:
The function is easy. Making sure the reference is included at all appropriate points in code that may be tens of thousands of lines long isn't - with modules written by different groups of developers, even if they are using source control things can slip through.

Despite how trendy it is to bash MS and other providers, the coders aren't noobs and developing business level software isn't quite as easy as knowing a couple of lines of code ;)
indeed and people are soon to forget just how many security holes are patched on a mnothly basis in linux and other puported secure os's

I've said it once and I'll say it again my patched MS servers are a damn sight more secure than the redhat box most n00b linux users have in their homes because they don't think they need to patch, or just don't know where to get the patches from.
 

Prudil

One of Freddy's beloved
Joined
Dec 24, 2003
Messages
458
yaruar said:
indeed and people are soon to forget just how many security holes are patched on a mnothly basis in linux and other puported secure os's

I've said it once and I'll say it again my patched MS servers are a damn sight more secure than the redhat box most n00b linux users have in their homes because they don't think they need to patch, or just don't know where to get the patches from.
Amen :D
 

PJS

Fledgling Freddie
Joined
Jan 16, 2004
Messages
494
Roo Stercogburn said:
The function is easy. Making sure the reference is included at all appropriate points in code that may be tens of thousands of lines long isn't - with modules written by different groups of developers, even if they are using source control things can slip through.

Despite how trendy it is to bash MS and other providers, the coders aren't noobs and developing business level software isn't quite as easy as knowing a couple of lines of code ;)
Yeah, well I am a software engineer and any coder who is responsible for an unchecked buffer overflow is a noob. You put it in when you write the code not as an afterthought. When you create an array that is filled from a source out of your control (ie user input) YOU CHECK THE DAMN INPUT FOR OVERFLOW. Simple as that and a lot easier than rocket science.
 

Anastasia

Can't get enough of FH
Joined
Dec 23, 2003
Messages
274
PJS said:
Yeah, well I am a software engineer and any coder who is responsible for an unchecked buffer overflow is a noob. You put it in when you write the code not as an afterthought. When you create an array that is filled from a source out of your control (ie user input) YOU CHECK THE DAMN INPUT FOR OVERFLOW. Simple as that and a lot easier than rocket science.
Send em your cv then mate, cos I for one am sick to death of skript kiddehs taking advantage of these n00b holes in the OS to prove just how tragically inadequate they are in real life ;)
 

CjkaceBM

Fledgling Freddie
Joined
Jan 25, 2004
Messages
126
PJS said:
Yeah, well I am a software engineer and any coder who is responsible for an unchecked buffer overflow is a noob. You put it in when you write the code not as an afterthought. When you create an array that is filled from a source out of your control (ie user input) YOU CHECK THE DAMN INPUT FOR OVERFLOW. Simple as that and a lot easier than rocket science.
LOL All bow to the greatest programmer on Earth.

Better than the makers of -

Windows (any variety)

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-042.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-072.asp
http://www.hot4down.com/20/software_3002-2092-6417879.htm

Solaris

http://www.cert.org/advisories/CA-2002-34.html
http://www.kb.cert.org/vuls/id/484011
http://www.kb.cert.org/vuls/id/596748

Linux

http://securecomputing.stanford.edu/alerts/samba-rollup.html
http://www.cert.org/advisories/CA-2003-25.html
http://www.gentoo.org/security/en/glsa/glsa-200312-02.xml

Isn't Google a wonderful tool? :)
 

Roo Stercogburn

Resident Freddy
Joined
Dec 22, 2003
Messages
4,486
I remember when I was in a previous job, we had a meeting with various departments.

The entire development team was there and they were whining bitterly about the software tools they had to work with. I just looked rather pointedly at the dev manager and said "Yeh, there's nothing worse than a bunch of tools that are no use."

Strangely, it went quiet after that :)
 

Oasis

Fledgling Freddie
Joined
Feb 7, 2004
Messages
62
Kami said:
It's like a woman, now and then it just decides to be a bitch, womans right of course :)
LMFAO you fucking twat. Sexist and supporter of animal exploitation/cruelty (ur avatar is not funny). Will you ever learn?
 

PJS

Fledgling Freddie
Joined
Jan 16, 2004
Messages
494
LOL All bow to the greatest programmer on Earth
I never claimed to be that. But checking what you write into arrays isn't too long is 1st year Computer Science stuff.

When you are writing things like Internet Explorer and Windows Networking code that are vulnerable to hackers not being arsed to check buffer sizes is pretty much criminal negligence and the sheer volume of "unchecked buffer" security patches that have been issued is beyond a joke and still arriving by the day.

:kissit: MS developers.
 

PJS

Fledgling Freddie
Joined
Jan 16, 2004
Messages
494
Anastasia said:
Send em your cv then mate, cos I for one am sick to death of skript kiddehs taking advantage of these n00b holes in the OS to prove just how tragically inadequate they are in real life ;)
nah, wouldn't work for Micro$haft on principle :p
 

legis

Fledgling Freddie
Joined
Feb 12, 2004
Messages
17
PJS said:
:kissit: MS developers.
You can do that to most developers, probably including yourself. Look at the previous and current vulnerability reports out there. You will see that Linux (and especially Debian and Redhat) has far more reports than Windows. Take your head out of your hat and check out reality for a while.
 

Driwen

Fledgling Freddie
Joined
Dec 23, 2003
Messages
932
legis said:
You can do that to most developers, probably including yourself. Look at the previous and current vulnerability reports out there. You will see that Linux (and especially Debian and Redhat) has far more reports than Windows. Take your head out of your hat and check out reality for a while.
but but its far more fun to bash M$ with the complete mass than think :p
 

Anastasia

Can't get enough of FH
Joined
Dec 23, 2003
Messages
274
PJS said:
nah, wouldn't work for Micro$haft on principle :p
lmao

Irony
:The use of words to express something different from and often opposite to their literal meaning.
:An expression or utterance marked by a deliberate contrast between apparent and intended meaning.
:A literary style employing such contrasts for humorous or rhetorical effect.
 

SFXman

Can't get enough of FH
Joined
Dec 22, 2003
Messages
312
Right... I for one will not be taking notice of any vulnerability notices that do not come up in my automatic Windows Update. Especially now that IE has a flaw that allows people to have any website show up as http://www.microsoft.com/
Then again I am not quite sure as to the point of this thread :p
 

Chilly

Balls of steel
Joined
Dec 22, 2003
Messages
9,046
i took someones advice and got this:
"Windows Update has encountered an error. This may be due to a discrepancy in your computer's time setting."

As a solution: Check your clock is right.

NO SHIT! its right, anyway...

....well it was correct to the neares 75k milliseconds :D just corrected.


lol oh dear, iv got 18 critical updates to DL :/
 

CjkaceBM

Fledgling Freddie
Joined
Jan 25, 2004
Messages
126
SFXman said:
Right... I for one will not be taking notice of any vulnerability notices that do not come up in my automatic Windows Update. Especially now that IE has a flaw that allows people to have any website show up as http://www.microsoft.com/
Then again I am not quite sure as to the point of this thread :p
The point of this thread is that the vulnerability listed is more critical than the one exploited by the Blaster worm (and look at the damage caused).

The problem with using Windows Update is that it wants to install every patch, doesn't really explain what the patch does and in some cases can cause more problems than it fixes (until the patch is patched).
 

PJS

Fledgling Freddie
Joined
Jan 16, 2004
Messages
494
CjkaceBM said:
The point of this thread is that the vulnerability listed is more critical than the one exploited by the Blaster worm (and look at the damage caused).

The problem with using Windows Update is that it wants to install every patch, doesn't really explain what the patch does and in some cases can cause more problems than it fixes (until the patch is patched).
And while were on the subject of shit coding. How about releasing a critical security patch on Windows update that DOESNT FIX WHAT IT SAYS. How about then releasing a 2nd patch THAT STILL DOESNT FIX IT. How about having to need THREE ATTEMPTS to get a crucial fix correct.
How about releasing a patch to fix one security issue that INTRODUCES A NEW EVEN WORSE security hole?
 

PJS

Fledgling Freddie
Joined
Jan 16, 2004
Messages
494
legis said:
You can do that to most developers, probably including yourself. Look at the previous and current vulnerability reports out there. You will see that Linux (and especially Debian and Redhat) has far more reports than Windows. Take your head out of your hat and check out reality for a while.
http://www.nizkor.org/features/fallacies/appeal-to-common-practice.html

The argument that all OS developers are shit so therefore it's acceptable is a fallacy. It's not.
 

Nichneven

Fledgling Freddie
Joined
Jan 30, 2004
Messages
41
Kami said:
Trust me you don't want a mac, especially a G4 servers. I have nightmares with the ones we have at work..

It's like a woman, now and then it just decides to be a bitch, womans right of course :)
lol :D

Can't help laughing... I swear my husband once made the same comparrison :rolleyes:

*wags finger* :eek:
 

legis

Fledgling Freddie
Joined
Feb 12, 2004
Messages
17
PJS said:
And while were on the subject of shit coding. How about releasing a critical security patch on Windows update that DOESNT FIX WHAT IT SAYS. How about then releasing a 2nd patch THAT STILL DOESNT FIX IT. How about having to need THREE ATTEMPTS to get a crucial fix correct.
How about releasing a patch to fix one security issue that INTRODUCES A NEW EVEN WORSE security hole?
I am starting to wonder how many times I will need to repeat myself to ask you to visit reality. This will be a fun count.

I agree on a whole that ideally this would never have to happen. It does though, and still will. We are humans, we are imperfect. That's life.
 

Users who are viewing this thread

Top Bottom