Microsoft Uncovers Critical Windows Security Hole

Microsoft on Tuesday warned of a serious security vulnerability in all of the current versions of Windows that not only allows an attacker to run code on vulnerable machines, but also enables him to install software and change and delete data.

The vulnerability is covered in Microsoft Security Bulletin MS04-007. The problem, which lies in Microsoft Corp.s ASN.1 (Abstract Syntax Notation 1) library, is among the most serious flaws yet discovered in Windows, experts said.

Attackers exploiting the weakness essentially would have free reign over compromised machines, which likely would give them access to whatever networks those PCs are on as well.

ASN.1 is a low-level language used to allow devices and applications on disparate platforms to exchange data in a standard way. Microsoft includes an ASN.1 library in all of the currently supported versions of Windows.

Security applications and services such as SSL and Kerberos will call the library through the Microsoft Crypto API. The library contains an unchecked buffer, which would enable attackers to execute a buffer overrun attack.

There is no workaround for the vulnerability at this point, but Microsoft has released a patch. The Microsoft TechNet document said users should search for a file named “Msasn1.dll.” If the file is present, the security update is required.

The vulnerability is in every current version of Windows, including Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003. The company said customers running VirtualPC for the Macintosh should also run the patch.

/zimages/5/28571.gifCheck outeWEEK.coms Security Centerat security.eweek.com for security news, views and analysis.