URGENT: ASN.1 BUFFER OVERFLOW HAS BEEN EXPLOITED. PATCH NOW!!! [Code attacks Windows vulnerability]

CNET News.com ^ | 2004-02-17 | Munir Kotadia

[mosel-saar-ruwer]

A piece of code that exploits a critical vulnerability that Microsoft issued a patch for only last week has been posted online, raising fears of an imminent MSBlast-style attack.

On Feb. 10, Microsoft released a patch that fixes a networking flaw that affects all Windows XP, NT, 2000 and Server 2003 systems. The company warned people to patch their systems, because the vulnerability could be exploited by virus and worm writers.

Four days after the patch was released, a piece of code was published on a French Web site that would let anyone exploit the vulnerability, meaning that unpatched customers could be hit with a worm similar to last summer's MSBlast, also known as Blaster.

Richard Starnes, director of incident response at telecommunications giant Cable & Wireless, told ZDNet UK that the code appears to work.

"We ran (the compiled code) against an unpatched XP and Windows 2000 SP3 system, and it took both systems down. It does a buffer overflow and immediately sends the PC into a reboot phase that you can't get out of," he said.

According to Starnes, the published attack could easily be turned into another MSBlast or Code Red type of "blended attack," in which the worm has two distinct modules: one for spreading and the other containing a payload.

"We have started seeing two-phase or two-tier worms--worms that have two attack vectors--one is a propagation vector and one is for launching an attack. The vast majority of worms we have seen only have a propagation payload. But with this one, you can have a propagation payload, and you can have a proper payload--being a DDoS (distributed denial-of-service) platform."

Jay Heiser, chief analyst at IT risk management company TruSecure, told ZDNet that the code on its own is simply a DDoS attack and can cause limited damage, but because it exploits a buffer overflow, it could be used to cause havoc.

"A denial-of-service attack is the equivalent to letting the air out of a tire in a car. It is annoying to the driver and might be fun once or twice for the attacker, but it is not the same thing as allowing you to go for a joyride. The fact that the DoS attack works against the buffer overflow suggests a greater likelihood that a more sophisticated attack is possible," Heiser said.

[mosel-saar-ruwer]

PATCH NOW

Previous FreeRepublic thread [predicting this] here.

[Glenn]

I downloaded it but it won't run on my computer. Help?

[Lunatic Fringe]

Hey, what's this button do...?

OH MY GOD!

(static)

[taxed2death]

The best patch around is Linux.

[Glenn]

Nevermind. I figured it out. This patch is for a Pee Cee!

I keep forgetting I can't run Pee Cee programs on my Mac.

[Petronski]

I'VE DONE IT!

[Blue Screen of Death]

Maybe I should search all my old 5 1/4" floppies and reinstall a copy of DOS 3.1 and never worry again.

[Flyer]

I predict 91.47% of the post to this thread will be Windows bashing by Mac/Linux users. The other 8.53% of posts will have to wade through all that garbage to get some real info.

[Johnny Gage]

LOL.

And I predict that 87.435% of all statistics used in this thread will be made up on the spot.


ROFL!

[Warlord David]

Thanks for the patch. Your a life saver. (do not attempt to lick, chew, or swallow.) Have a nice day.

[Arkie2]

Mac's rule! Just thought I'd kick it off!

[mosel-saar-ruwer]

PLEASE keep this in Breaking News.

If people don't patch for this thing, the results could be catastrophic.

[Billthedrill]

So the SysAdmins on this forum know - there are two unconfirmed reports of this patch (MS04-007) making W2K domain controllers run slowly and refuse to let NT4 assets log in. Patch and test, is my advice. We haven't actually seen that...yet...

[Jinjelsnaps]

Yeah, pretty much. "The best patch around is Linux." Yeah, well the best way around all this bullsh*t is to go back to pen and paper, because EVERY OS SUCKS

And I say that as an IT professional that has used just about every stupid iPaq, iPod, iGeorgeForeman, Linsux (no typo there), Winblow$, CrapOS X piece of sh*t out there. And you know what? THEY ALL SUCK!!!!

And please don't point out the irony of my using a computer in order to decry them ;-)

[elfman2]

If we post every POTENTIAL windows problem as Breaking News it will be very 5th headline. This is no more of an emergency than last weeks patch, or the week before’s patch, or…

[MD_Willington_1976]

here's the perp

[Momaw Nadon]

Is this for real?

[nuconvert]

How do I know you aren't trying to screw up my computer?

[MD_Willington_1976]

Just to be fair

[elfman2]

" PLEASE keep this in Breaking News. If people don't patch for this thing, the results could be catastrophic. "

The same can be said for every MS patch. There is no worm that exploits this hole yet.