ATTN: MS04-007-related Activity

G

Gary S. Terhune

FYI. Not sure what to think, but I suspect we may be in for another serious DoS situation, soon.

Please, those who are vulnerable, PATCH IT!

(Note: This issue does *not* affect Win9x users. I post it simply as a public service.)

--
Gary S. Terhune
MS MVP for Windows 9x

+++++++++++++++++++++++++++++++++++++++++++++
The Services and Field Security Support Team is sending this alert you
of a possible change in the threat environment surrounding MS04-007.
Specifically, we are aware that sample exploit code (also known as
"Proof of Concept" code) has been made publicly available for the
vulnerability addressed by MS04-007. This sample code only demonstrates
a denial of service attack, it does not demonstrate remote code
execution. In addition, we are aware of general increased activity
around this vulnerability. We are not currently aware of any published
sample exploit code that demonstrates remote arbitrary code execution.

We are NOT aware of any active attacks against the vulnerability
addressed by MS04-007.

However, the presence of sample exploit code and heightened activity
around this vulnerability does potentially change the threat environment
because the existence of sample code can make it easier for an active
exploit to be developed and released. We are therefore urging customers
to immediately apply the security update to protect themselves from any
possible exploits which may be developed.

Information on Microsoft Security Bulletin MS04-007 and its associated
security update can be found here:

http://www.microsoft.com/technet/security/bulletin/ms04-007.asp

If you have any questions regarding this alert, you should contact
Product Support Services in the United States at 1-866-PCSafety
(1-866-727-2338). International customers should contact their local
subsidiary.

Thank you,

The Services and Field Security Support Team
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
T

Torgeir Bakken (MVP)

Gary S. Terhune said:
FYI. Not sure what to think, but I suspect we may be in for another serious DoS situation, soon.

Please, those who are vulnerable, PATCH IT!

(Note: This issue does *not* affect Win9x users. I post it simply as a public service.)
Click to expand...

Hi

Actually, the ASN.1 vulnerabilities is present in Win9x/ME as well.

Microsoft has created a patch, but it it is not released for public
download yet (but I would think it is going to be), you will need
to call Microsoft to obtain it (for free).

See the thread "Windows 98 ASN.1 Vulnerability?" started by
Greg Kujawa in the newsgroup microsoft.public.security for
more details...
 
L

LuckyStrike

Torgeir,

Thanks for your extra input. If you'll forgive me, a link directly to the
post would have been handy though. Also I believe you meant the
microsoft.public.security.virus NG. ;-)
 
L

LuckyStrike

Oops! Sorry Torgier, I stand corrected..it does seem to show up In
ms.security, and not security.virus as I had said. However, for some reason,
(I can't explain) an initial "find" within that NG showed nothing, but a
find in the security.virus NG showed all of the thread. <scratching head in
wonder> Again, I apologize to you and the entire NG(s).

I'm going to try to get to the bottom of this.
 
T

Torgeir Bakken (MVP)

LuckyStrike said:
Torgeir,

Thanks for your extra input. If you'll forgive me, a link directly to the
post would have been handy though. Also I believe you meant the
microsoft.public.security.virus NG. ;-)
Click to expand...

No, it is in the microsoft.public.security newsgroup...

news://msnews.microsoft.com/12e9701c3f702%2490dacec0%24a001280a%40phx.gbl
 
T

Tedd Riggs

You might be right on this one Gary,

it sure made it fast to the Department of Homeland Security's National
Cyber Security Division (NCSD) US-CERT National Cyber Alert System, Cyber
Security Bulletin SB04-049, This one was posted on their main web site and
also emailed to all that are involved with them.
http://www.us-cert.gov/cas/bulletins/SB04-049.html

--
Tedd Riggs
PDA Square Content Developer
www.pdasquare.com
Redmond, WA


FYI. Not sure what to think, but I suspect we may be in for another serious
DoS situation, soon.

Please, those who are vulnerable, PATCH IT!

(Note: This issue does *not* affect Win9x users. I post it simply as a
public service.)

--
Gary S. Terhune
MS MVP for Windows 9x

+++++++++++++++++++++++++++++++++++++++++++++
The Services and Field Security Support Team is sending this alert you
of a possible change in the threat environment surrounding MS04-007.
Specifically, we are aware that sample exploit code (also known as
"Proof of Concept" code) has been made publicly available for the
vulnerability addressed by MS04-007. This sample code only demonstrates
a denial of service attack, it does not demonstrate remote code
execution. In addition, we are aware of general increased activity
around this vulnerability. We are not currently aware of any published
sample exploit code that demonstrates remote arbitrary code execution.

We are NOT aware of any active attacks against the vulnerability
addressed by MS04-007.

However, the presence of sample exploit code and heightened activity
around this vulnerability does potentially change the threat environment
because the existence of sample code can make it easier for an active
exploit to be developed and released. We are therefore urging customers
to immediately apply the security update to protect themselves from any
possible exploits which may be developed.

Information on Microsoft Security Bulletin MS04-007 and its associated
security update can be found here:

http://www.microsoft.com/technet/security/bulletin/ms04-007.asp

If you have any questions regarding this alert, you should contact
Product Support Services in the United States at 1-866-PCSafety
(1-866-727-2338). International customers should contact their local
subsidiary.

Thank you,

The Services and Field Security Support Team
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
G

Gary S. Terhune

PA Bear! Where's my *big* spoon!? Gonna have to eat a bowl-full of crow, here!

I was not aware that the vulnerability extended to v. 4.xxx of MSASN1.DLL, instead of being restricted to v. 5.xxx. I had v. 4.4.3396, provenance unknown.

However, while I see that http://support.microsoft.com/?kbid=828028 is essentially *empty*, meaning that this is a work in progress, I did download and install the patch as per Greg's link, and it apparently succeeded. New file version as follows (forgot to write down my old one, but it was 4.sumthin')

MSASN1.DLL -- 5.00.2195.6824 09/20/03 5:05 pm PST (21-Sep-2003 01:05 UTC)

That's the *same* file as is contained in the patch for Windows NT SP4. The patch can be uninstalled (yes, I tested that), so that makes it a relatively safe bet. From the INF files included, the linked version appears to apply only to Win98 and Win98SE. I would assume that one also exists for ME, but I don't know where that is located (and no, I am not going to re-post the link and password. I don't do that.)

As an aside, I agree that if the reason Win9x wasn't included in the SB and KB is because of some "they're not supported" crap, that was plain wrong. This is not a Windows 9x file, per se, it's a file that's added by any number of add-on components, from Office to IE (and particularly, NetMeeting.) Those *are* supported applications, to one extent or another, regardless of the platform upon which they reside.

Even more to the point, Microsoft should get it straight--Security patches should not be on the table when it comes to "Support". If they are applicable, they should be made available. Period. And none of this BS like, "Call if you need it, we want to keep track", or "We haven't finished testing it yet." If they want to include a "Use at your own risk" clause in the EULA, fine. Just do it. They'll find out soon enough whether it causes users problems, and they can issue *another* update to fix that, OK? Judging by the file dates, somebody has known for quite some time that this problem exists. It was "fixed" five months ago.
 
T

Tedd Riggs

Gary,
I did say "you MIGHT be right" :) But then since the notice did come from
the US Government, I am sure it would be at least 1/4 right.
Tedd




Half right, anyway, <¦-(
 
T

Torgeir Bakken (MVP)

Gary S. Terhune said:
PA Bear! Where's my *big* spoon!? Gonna have to eat a bowl-full of crow, here!

I was not aware that the vulnerability extended to v. 4.xxx of MSASN1.DLL, instead of being restricted to v. 5.xxx. I had v. 4.4.3396, provenance unknown.

However, while I see that http://support.microsoft.com/?kbid=828028 is essentially *empty*, meaning that this is a work in progress, (snip)
Click to expand...

Actually, that KB article is just a placeholder for the link to the security
bulletin http://www.microsoft.com/technet/security/bulletin/ms04-007.asp,
and is not going to get any more content. All new information about this
security flaw/hotfix is going to be added in the security bulletin and
not in the KB article.
 
G

Gary S. Terhune

That's screwy, too, if you ask me. Don't know that I've ever seen it done that way before. I suppose it allows MS to save a bit of server space. But it makes it hard to search the *KB* for terms like "msasn1.dll", or any number of other terms I might use to find that article, and get any meaningful returns, eh?
 
T

Torgeir Bakken (MVP)

Gary S. Terhune said:
That's screwy, too, if you ask me. Don't know that I've ever seen it
done that way before. I suppose it allows MS to save a bit of server
space. But it makes it hard to search the *KB* for terms like
"msasn1.dll", or any number of other terms I might use to find that
article, and get any meaningful returns, eh?
Click to expand...

Microsoft started with this for security bulletin MS03-041 and up:

http://support.microsoft.com/?kbid=823182


MS03-040 was the last one to do it the "old" way:

http://support.microsoft.com/?kbid=828750


One of the reasons for why this change was done, was that a lot of
people thought it was confusing that some information was in the
KB article, and some was in the security bulletin...
 
G

Gary S. Terhune

I would have preferred the opposite tack--use SBs as "Headline Alerts" oriented toward ITs, and use KB articles to flesh out the full scope of the issue. For the very reasons I described before--searchability.

Try this:
http://search.microsoft.com/search/...&View=en-us&qu=msasn1.dll&qp=&qa=&qn=&c=3&s=0

Heck, it even says it's searching SBs, but I see neither hide nor hair of the current issue. I dare *anyone* to use the Search tool find this SB that's been out for how many days now? Only way I've gotten it to come up is by using "828028". Not even "MS04-007" returns a direct hit, only a reference to http://www.microsoft.com/security/security_bulletins/20040210_windows.asp

Or take your more aged example of the first issue that occurred after the change. Do a Support and Troubleshooting search on Cryptui.dll. http://search.microsoft.com/search/...View=en-us&qu=&qp=Cryptui.dll&qa=&qn=&c=3&s=0

No mention of KB823182 in any of it.

Now do a search on Mshtml.dll:
http://search.microsoft.com/search/...&View=en-us&qu=Mshtml.dll&qp=&qa=&qn=&c=3&s=0

Bingo!
828750 - MS03-040: October, 2003, Cumulative Patch for Internet Explorer
http://support.microsoft.com/?kbid=828750

Udderly disgusting!
 
?

=?iso-8859-1?Q?Ivan_B=FAtora?=

Well, perhaps Microsoft should get some feedback that the decision to "unite" security bulletins and KB articles by means of essentially eliminating the relevant content from KB articles is not necessarily a good one. I believe this is one of the changes they introduced, along with the monthly Windows and Office security bulletins. It seems that basically the info formerly in KB articles is now included in the newly added "Security Update Information" section of security bulletins. I also think that the KB have their advantages, such as you said (searchability), and perhaps some others (easier to save for offline, quicker reference, clear identification of the issue by the six-digit number, etc.). Perhaps they could keep the expanded security bulletins, but also keep the KB articles, while marinating a clear relationship between them (i.e. KB article = security update information section of the bulletin)...

IB


I would have preferred the opposite tack--use SBs as "Headline Alerts" oriented toward ITs, and use KB articles to flesh out the full scope of the issue. For the very reasons I described before--searchability.

Try this:
http://search.microsoft.com/search/...&View=en-us&qu=msasn1.dll&qp=&qa=&qn=&c=3&s=0

Heck, it even says it's searching SBs, but I see neither hide nor hair of the current issue. I dare *anyone* to use the Search tool find this SB that's been out for how many days now? Only way I've gotten it to come up is by using "828028". Not even "MS04-007" returns a direct hit, only a reference to http://www.microsoft.com/security/security_bulletins/20040210_windows.asp

Or take your more aged example of the first issue that occurred after the change. Do a Support and Troubleshooting search on Cryptui.dll. http://search.microsoft.com/search/...View=en-us&qu=&qp=Cryptui.dll&qa=&qn=&c=3&s=0

No mention of KB823182 in any of it.

Now do a search on Mshtml.dll:
http://search.microsoft.com/search/...&View=en-us&qu=Mshtml.dll&qp=&qa=&qn=&c=3&s=0

Bingo!
828750 - MS03-040: October, 2003, Cumulative Patch for Internet Explorer
http://support.microsoft.com/?kbid=828750

Udderly disgusting!
 
G

Gary S. Terhune

I think it was fine the way it was, with the caveat that both could be done better and with more coordination.

--
Gary S. Terhune
MS MVP for Windows 9x


Well, perhaps Microsoft should get some feedback that the decision to "unite" security bulletins and KB articles by means of essentially eliminating the relevant content from KB articles is not necessarily a good one. I believe this is one of the changes they introduced, along with the monthly Windows and Office security bulletins. It seems that basically the info formerly in KB articles is now included in the newly added "Security Update Information" section of security bulletins. I also think that the KB have their advantages, such as you said (searchability), and perhaps some others (easier to save for offline, quicker reference, clear identification of the issue by the six-digit number, etc.). Perhaps they could keep the expanded security bulletins, but also keep the KB articles, while marinating a clear relationship between them (i.e. KB article = security update information section of the bulletin)...

IB
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

April 13, 2004 - Today Microsoft released the following Security Bulletins 24
FW: MS04-040 - Cumulative Security Update for Internet Explorer (889293) 5
Product Support Services - MALICIOUS ACTIVITY RELATING TO MS04-011 4
Microsoft Security Bulletins for February 10, 2004 1
Microsoft Security Bulletin for July 30, 2004 1
Microsoft Security Bulletins for 12/14/04 1
Sasser Worm Alert 1
UPDATE: Product Support Services - W32.SASSER WORM RELATING TO MS04-011 2

Top