F Y I ... presently floating ... If you have seen it before, please excuse. ==> "Microsoft Warns of New Security Flaws" Reuters - 06/13/02 Microsoft disclosed a trio of critical software vulnerabilities on Wednesday. The company has issued a patch for a hole that can cause system shutdowns or enable hackers to run malicious code on a computer; the flaw affects users of Windows XP, Windows Routing and Remote Access Server, Windows NT 4.0, NT 4.0 Terminal server edition, and Windows 2000. The other security flaws include an Internet Explorer vulnerability that could allow intruders to commandeer computers via an old Internet protocol, and a hole in Microsoft's instant messaging and chat programs that would permit hackers to run their code on victim machines. The Wednesday announcement brings the total number of security bulletins Microsoft has released this year to 30, demonstrating the company has made little actual progress toward its target of more secure software since making it a primary goal about six months ago. Nevertheless, David Gardner of Microsoft's Security Response Center claims that the initiative has had positive effects--for one thing, engineers are detecting these flaws before they are identified and revealed by outside researchers. "Coding Flaw Might Assist Hackers" By Riva Richmond The Wall Street Journal - 06/13/02 P. B4 Computer-security specialists are exploring whether the Internet infrastructure could become a ripe target for hackers because of findings that faulty deployments of the Abstract Syntax Notation One (ASN.1) computer language makes Simple Network Management Protocol (SNMP) vulnerable to intrusions. At the core of the problem are certain versions of programming code used to read ASN.1, which fail when attempting to deal with very long or distorted messages, giving rise to system crashes or memory overflow that hackers could exploit. If such errors have widely proliferated, other protocols may be open to attacks that could shut down routers and switches, severely hampering online access. Such protocols are used by the telecom sector, and are also incorporated into nuclear-control systems, power-control systems, printer-job management, package tracking, secure communications, and online multimedia applications. Sourcefire founder Martin Roesch and other experts say that the problem is being investigated by tech firms, private researchers, and government agencies. The National Infrastructure Protection Board's Debbie Weierman notes that her agency has been collaborating with experts from the NSA, the Federal Computer Incident Response Center, CERT, private groups, and others since March to see how widespread the ASN.1 flaw is. Microsoft, Lucent, and Oracle are among the private-sector companies that have investigated or are investigating how their products may be affected by the ASN.1 problem. Meanwhile, TruSecure's Paul Robertson believes high-level hackers have devised malicious programs that exploit the flaw.
On Fri, 14 Jun 2002, Robert Mathews wrote:
applications. Sourcefire founder Martin Roesch and other experts say that the problem is being investigated by tech firms, private researchers, and government agencies. The National Infrastructure Protection Board's Debbie Weierman notes that her agency has been collaborating with experts from the NSA, the Federal Computer Incident Response Center, CERT, private groups, and others since March to see how widespread the ASN.1 flaw is. Microsoft, Lucent, and Oracle are among the private-sector companies that have investigated or are investigating how their products may be affected
I'm certain the best people are working on this, but once again Steve Bellovin scooped them all nearly a decade ago. In the early 1990's myself and several other people were developing the Z39.50 Information Retrieval protocol, including Bob Waldstein from Bell Labs. Like many other ISO/OSI protocols, Z39.50 used ASN.1 as the protocol description language. At first all of us tried using the existing ASN.1 tools, commercial and public domain. We found problems with essentially all of the available ASN.1 compilers and libraries in the 1990's. In 1992 we didn't think of calling it a security flaw, we just called it bad code. We needed to pass the Z39.50/ASN.1 protocol through Bellovin's fancy firewalls (see his book) which created an interesting conflict. Firewalls should be very simple devices, and ASN.1 can be complex. Despite Bellovin's misgivings, we got Z39.50/ASN.1 through his firewalls. Imagine if the US Government's GOSIP procurement policy had worked in in the 1980's. Instead of a few protocols like SNMP and Z39.50, every network protocol followed the OSI model and used ASN.1 for the session layer, presentation layer and application layer.
On Sat, Jun 15, 2002 at 02:15:47AM -0400, Sean Donelan wrote:
On Fri, 14 Jun 2002, Robert Mathews wrote:
The National Infrastructure Protection Board's Debbie Weierman notes that her agency has been collaborating with experts from the NSA, the Federal Computer Incident Response Center, CERT, private groups, and others since March to see how widespread the ASN.1 flaw is.
I'm certain the best people are working on this, but once again Steve Bellovin scooped them all nearly a decade ago.
"So severe are the potential ramifications of widespread ASN.1 security holes, that President Bush was personally briefed on the matter..." -- http://online.securityfocus.com/news/474 can you say "War on Open Standards?" yikes! same article: "Howard Schmidt, former Microsoft security chief and newly-appointed vice chairman of the President's Critical Infrastructure Protection Board..." yep, the Critical Infrastructure needs to be overseen by the same people who brought us the Outlook Virus Launch Platform, and the Internet Information Server/Virus Incubator. -- [ Jim Mercer jim@reptiles.org +1 416 410-5633 ] [ I want to live forever, or die trying. ]
Hi folks, For people from France, there is now a group called FRnOG with about the same goals as nanog. For more informations goto http://www.frnog.org regards, Pascal
On Sat, 15 Jun 2002, Pascal Gloor wrote: : : Hi folks, : : For people from France, there is now a group called FRnOG with about the : same goals as nanog. : : For more informations goto http://www.frnog.org : : regards, : Pascal But it's only for those that read the French language... scott !!! WARNING - THIS MAILING LIST IS IN FRENCH LANGUAGE ONLY !!! Bonjour, Vous venez de vous inscrire sur la mailing list du FRnOG (FRench Network Operators Group). Vous pouvez vous desinscrire a tout moment en remplissant le formulaire sur la page web suivante : http://www.frnog.org/mailing.php You can unsubscribe at http://www.frnog.org/mailing.php Vous pouvez aussi me contacter en cas de questions, doutes, etc...
participants (5)
-
Jim Mercer
-
Pascal Gloor
-
Robert Mathews
-
Scott Weeks
-
Sean Donelan