Microsoft Issues Patch For Two Serious Windows Security Holes

The patch fixes a critical vulnerability in the networking stack, known as the Abstract Syntax Notation 1 (ASN.1), and mends another hole in the Windows Internet Naming Service (WINS). Microsoft acknowledged the flaws a day before company executives provided an update on Microsoft's security initiative.

ASN.1 is used by applications and devices across platforms and is a "deep" function within the OS, one Microsoft executive said. Industry observers said the critical vulnerability could lead to a major outbreak similar to the infamous MSBlaster, Nimda and Code Red viruses that inflicted significant damage to corporate and consumer PCs over the past year.

"There are two Windows issues, one critical and the other important, and they could lead to remote code execution," said Mike Reavey, a security program manager in Microsoft's Security Response Unit. He noted that customers can protect their sites by downloading the patch released Tuesday and by clicking on the Windows Firewall in the client OS.

The ASN.1 and WINS flaws--which affect nearly all versions of Windows, from NT 4.0 through Windows XP and Windows Server 2003--would allow hackers to write malicious code that can execute on networked Windows PCs and bring down a WINS server if the holes are not plugged, Microsoft said.

id
unit-1659132512259
type
Sponsored post

Reavey said he's not aware of any customers affected by those vulnerabilities. He confirmed that eEye Digital Security alerted Microsoft to the ASN.1 flaw in July and that Qualys, Redwood Shores, Calif., identified the WINS denial-of-service vulnerability in October.

One security consultant said Microsoft is digging deeper into the code to close up holes. However, he expects the problems to continue as distributed computing evolves.

"The ASN.1 vulnerability is the first of many more sophisticated vulnerabilities that we will see," said Adam Lipson, president and CEO of Network and Security Technologies, Pearl River, N.Y. "While it is easy to blame only Microsoft, most future exploits will rely on the similarities between systems rather than a single brand and version of some software."

In other words, the very requirement for commonality among languages and network protocols exposes all manufacturers' products.