Microsoft Warns Of Major Flaw In Windows

Microsoft on Tuesday afternoon alerted users of a trio of new security vulnerabilities in Windows and Internet Explorer, one of which was characterized by its discoverer as even more dangerous than the flaws that spawned some of the biggest worms of all time, Nimda and Code Red.

While the Redmond, Wash.-based developer tagged two of the three vulnerabilities as "critical" -- its highest warning rank -- one is of special concern.

The vulnerability relates to Microsoft Windows Abstract Syntax Notation (ASN), a language used to define the syntax of data messages shared between applications and computers. Any flaw in Windows' implementation of ASN is by definition critical, since the ASN library is widely used by the operating system's security subsystems, including Kerberos and NTLM authentication, as well as by applications that use digital certificates, including SSL, digitally-signed e-mail, and the ActiveX controls utilized by Microsoft's Internet Explorer browser.

A determined attacker could exploit the ASN vulnerability to create a buffer overflow in a targeted machine, which would in turn offer up complete control of the computer. From there, the sky's the limit: a hacker could install new software (including, for instance, Trojan horses), wipe hard drives, hijack files, or any of a thousand other things.

There is no work-around for the vulnerability, Microsoft said in the security bulletin issued Tuesday; the only way to correct the problem is to install the fix, which is available through the Windows Update service. Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 are all affected and must be patched."These flaws can be detected and exploited remotely, and have the potential to cause serious damage if not immediately remediated," said executives at eEye Digital Security, the firm which uncovered the problem in July, 2003. "Ironically, the security-related functionality in Windows is especially adept at rendering a machine vulnerable to an attack."

At Microsoft's request, eEye held off disclosure of the vulnerability until a patch was created, tested, and released.

One of the other two bulletins, also rated "critical," relates to Internet Explorer, which has been patched several times in recent weeks. The patch corrects three newly-announced vulnerabilities that include flaws in the browser's security model, its URL parsing (which can lead to "spoofed" addresses, ones leading to malicious Web sites that disguise themselves as legitimate URLs), and in its drag-and-drop operations.

Internet Explorer versions 5.01 and later are affected, said Microsoft, and users should immediately apply the patch.

The third bulletin, ranked as "important," Microsoft's second-most dangerous rating, applies to Windows NT, Windows 2000, and Windows Server 2003, and stems from a problem in how Windows' Internet Naming Service (WINS) validates data packets. Hackers could exploit this bug to bring down a WINS server.As with the ASN vulnerability, the other two security gaffes can be corrected by apply patches downloaded from Windows Update.

But it's the ASN flaw that has security experts scared. "These are potentially catastrophic vulnerabilities," said Marc Maiffret, the chief hacking officer at eEye in a statement. "It's imperative that organizations immediately apply the appropriate patches to ensure their systems are secure."