More on the Microsoft ASN.1 Vulnerability
If you check into the details for Microsoft Security Bulletin MS04-007 (covered in the news section of this very newsletter) you’ll see that it hinges on a form of data representation known as Abstract Syntax Notation, Version 1 (ASN.1, pronounced “ASN dot one”). What’s the big deal with this vulnerability, and why is it generated so much controversy and discussion?
The big deal with this vulnerability hinges on the many ways in which ASN.1 is used in the Windows operating system. By design, ASN.1 is a compact and powerful way to represent hierarchical names, structured data types, and data entities of all kinds. I first encountered it in the same way that many other IT professionals did—namely, in X.400 messaging and X.500 directory services standards associated with the ISO Open Systems Interconnect networking standards in the mid to late 1980s.
In Windows, ASN.1 pops up all over the place. There, ASN.1 applies to lots of different areas and functionality, including:
- UNC (universal naming convention) names associated with NetBIOS naming
- DNS names
- public and private keys
- PKI certificates.
For a great Microsoft-centric view of ASN.1, check out Knowledge Base article 252648 “XGEN: A Brief Introduction to ASN.1 and BER.” In addition, John Larmouth’s ASN.1 Tagging tutorial is probably one of the best general introductions and references around.
Because the Microsoft ASN.1 vulnerability is a buffer overflow that can push overflow data into command streams at high levels of privilege, it’s a way to take over a system thoroughly and completely if exploited properly. That’s what makes it so important to visit the MS Security pages, and to download and install the MS04-007 security updates.
Where the controversy in this matter stems is that Microsoft apparently knew about the vulnerability for more than six months (over 200 days according to some published reports) before issuing a security update to fix the flaw. My guess is that Microsoft’s response to accusations of foot-dragging in this case—namely, that ASN.1 functionality is so widely-used in Windows platforms of many descriptions that formulating a workable, general fix took serious time and effort—isn’t far off the mark. Rather than create a need to patch incomplete or not fully tested patches, MS chose to create what it called a comprehensive fix instead.
Hopefully, this will resolve matters wherever ASN.1 is used, and prevent widespread exploits from occurring in the future.