Six month-old Windows flaw could mean MSBlast 2

Microsoft has a message for Windows users: patch your computers quickly.

On Tuesday, the software giant released a fix for a networking flaw that affects every computer running Windows NT, Windows 2000, Windows XP or Windows Server 2003. If left unpatched, the security hole could allow a worm to spread quickly throughout the internet, causing an incident similar to the MSBlast attack last summer.

"There are more attack vectors and more people that could be affected by this," said Marc Maiffret, chief hacking officer for eEye Digital Security, the software firm that warned Microsoft of the vulnerability more than six months ago.

This is the second time this month that Microsoft has warned users of a security flaw. The company has a new policy of announcing vulnerabilities and releasing patches on the second Tuesday of each month, unless a critical flaw needs to be released immediately.

Last week, the software maker revealed a security flaw in Internet Explorer and issued a patch. On Tuesday, Microsoft announced three more vulnerabilities: the critical flaw and two other issues of lesser severity. One security hole affects computers running the Windows Internet Naming Service, and the other affects Microsoft's Virtual PC for the Mac platform.

The latest flaw exists in Microsoft's implementation of a basic networking protocol known as Abstract Syntax Notation One, or ASN.1. The code is shared by many Windows applications, and if left unpatched, it causes each program that uses the code to be an entry point into the operating system for an attacker.

Such widespread vulnerabilities are most tempting for the underground coders who create worms such as MSBlast - also known as Blaster - and Slammer, both of which took advantage of widespread Windows flaws.

The vulnerability could allow a remote user to take control of a computer running a version of the Windows operating system that hasn't been patched, according to the advisory posted on Microsoft's website. Exploiting the flaw is much easier if the attacker can access a local network, the advisory noted.

"This means a high number of vulnerable systems out on the internet," said Brian Dunphy, director of managed security services for security software company Symantec. "It's a good candidate for an internet worm."

The flaw bears a resemblance to the one that allowed MSBlast to spread in August 2003, said Stephen Toulouse, security program manager at Microsoft's security response centre.

"It is relatively similar in terms of the number of computers it could affect," he said, adding that the flaw "is in all versions of Windows."

Created by Xerox and standardized in 1984, ASN.1 is a way to describe networking data and protocols, said Bancroft Scott, president of OSS Nokalva, an ASN.1 tools developer.

"Twenty years ago, people frequently reinvented the wheel when they wanted to pass data," he said in a January interview on the subject of ASN.1. "There was no way to describe the data that you were going to send."

ASN.1 changed that, allowing developers to describe data in an abstract language. However, developers of tools for creating network protocols and software from those descriptions frequently didn't consider that internet attackers would use the channel as a way to break into computers, Scott said.

"These technologies, such as Windows, don't have anything to do with ASN.1, and yet they are breaking," he said.

The widespread use of ASN.1 has led many security researchers to label it a possible "monoculture" - a population so homogeneous that a single threat could destroy it. A recent trend in the computer security world is the recognition that vulnerabilities in common technologies can have widespread effects. A flaw in the Simple Network Management Protocol, a widely used way to communicate between network hardware, was due to an ASN.1 implementation error.

eEye's Maiffret was critical of Microsoft for taking so long to issue the patch.

"Two hundred days to fix this," Maiffret said. "It is obviously ridiculous." Microsoft's Toulouse said the fix took so long to create because of the difficulties posed by such a pervasive technology.

"ASN.1 is really an extremely deep...technology in Windows itself," he said. "This investigation required us to evaluate several different aspects. This is an instance where we really had to do our due diligence."

Robert Lemos writes for CNET News.com