lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: dufresne at winternet.com (Ron DuFresne)
Subject: EEYE: Microsoft ASN.1 Library Length Heap
 Corruption;  Security Wire Perspectives, Vol. 6, No. 13, February 16, 2004


SOUND BYTES

*MICROSOFT BEGINS YEAR WITH BROKEN PROMISE
By Edward P Yakabovicz

Is anyone really surprised that we get to ring in the new year with a
critical Microsoft vulnerability? Or that Microsoft has known of the
Abstract Syntax Notation Version 1 (ASN.1) flaw for more than six
months, yet did nothing to correct it? What was the driving factor
that's gotten us into another security bind? Is it once again the
"Microsoft Factor" of poor security? Or are there larger issues?

There are two significant points to be made; the most important is
the Microsoft promise made in 2002 of "Trustworthy Computing." It's
two years later and we're still suffering through critical threats to
our systems. Microsoft knew of this threat six months ago and waited
until now to announce it to the world and provide a fix. Is this
Trustworthy Computing in action?

It's also necessary to examine how the basics of ASN.1 changed so
that now it's an issue for Microsoft, but not for other software
vendors. Many believe Microsoft is now suffering from decisions made
during the initial design and creation of the Windows 2000 products.
At that time Microsoft stated it would add Kerberos, LDAP and other
connectivity for providing better access to non-Microsoft standards.
Yet, at the time, the software giant also said it would be a
Microsoft version of these products, not off the shelf as other
vendors had chosen.

ASN.1 is a notation, method or formal communication structure by
which applications speak to one another. This is very similar to the
English language where words are placed in a certain order to convey
one idea, then used in a different manner to convey another, making
it flexible and scalable to many ideas yet still granular to the
communication.

Microsoft chose to change the way ASN.1 was used for all application
communications, thus each and every system, critical or not, is
vulnerable to different vectors of attack.

This would be similar to Microsoft developing its own English
language and changing the structure to NOT use adjectives, pronouns
and prepositions, thus disabling the advantages they add and also
degrading the language structure.

If you change the basic principals without testing or agreement from
the developers, problems will always arise.

Edward P Yakabovicz, CISSP, is information security manger at Bank
One Corporate Internet Group. Please send any comments on this
article to mailto:SWPcomments@...osecuritymag.com



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
	***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.



Powered by blists - more mailing lists