Microsoft reveals ‘critical’ flaw in Windows software

11 Feb 2004

Microsoft has warned users of another flaw in its software that could allow hackers to gain control of computers and has urged administrators to install patches immediately to cope with the problem. eEye Digital Security, the US company that discovered the vulnerability, called it ‘potentially catastrophic’.

The flaw affects Microsoft Windows NT 4.0, NT Server 4.0 Terminal Server Edition, Windows 2000, XP and Server 2003. Ironically, other machines running the affected code may have inherited the vulnerability by installing a security update from Microsoft.

In a security update posted on its site, part of a monthly patch release cycle, Microsoft said that servers were at greater risk than individual PCs. This is because they are more likely to have a process running that uses the code, Microsoft Abstract Syntax Notation 1 (ASN.1) Library that is deeply embedded in the system.

The vulnerability could give a malicious user complete control of a computer, Microsoft said. “An attacker could take any action on the system, including installing programs, viewing data, changing data, deleting data, or creating new accounts with full privileges,” the company warned. According to security expert Hugh Marron of Dublin-based technology consultancy IP Options, in the worst case it could launch an application on computers designed to launch a denial of service attack against a website.

Microsoft has assigned the highest rating of ‘critical’ to the problem and has issued a patch which it recommended network administrators to install immediately. Marron said that a patch works by replacing the faulty component or changes how the component is used and should be enough to remove the danger.

“These flaws don’t become a threat until someone chooses to exploit it,” Marron pointed out. As yet, no one has done so; neither Microsoft nor eEye Digital Security said they were aware of any activity based on the vulnerability.

Marron added that as a rule, worm and virus writers know that many organisations don’t patch their systems adequately: they may not have the resources to do so, or they believe they’re well protected, or else they might underestimate the seriousness of the threat. Citing the recent MyDoom mass-mailing worm, Marron said that it exploited a flaw in software that Microsoft issued a patch for three years ago. “So as long as you have people who don’t update, you are going to get critical-mass coverage,” said Marron. “A huge amount of organisations still don’t use patching solutions, which would protect against this problem.”

On the other hand, the flaw identified by Microsoft affects a component that is not commonly found and is harder to take advantage of, Marron said.

eEye Digital Security actually discovered the flaw last year and reported it to Microsoft at the time; however it has taken until now for the software company to issue a fix. According to reports, Microsoft claimed that the affected code needed time for the fix to be sufficiently tested.

By Gordon Smith