The flaws that allowed malware such as CodeRed and Nimda to spread weren't a small thing. The flaw that allowed the SQL Slammer worm to spread around the globe in under an hour and cripple the Internet seemed like a pretty big deal at the time. Last year Microsoft announced a vulnerability in the RPC (Remote Procedure Call) protocol and DCOM implementations which led to the MSBlast (or Blaster) worm. To say that this is the largest vulnerability yet is a rather substantial claim compared with these notorious flaws.
So, what is ASN.1? What is the big deal about this vulnerability? Is the media just running around screaming "the sky is falling" when it really isn't that urgent? Or, is there good reason to be concerned and get this patch applied to your systems as quickly as possible?
Let's start with describing what ASN.1 is. ASN stands for Abstract Syntax Notation. According to Webopedia.com "ASN.1 ensures that the data received is the same as the data transmitted by providing a common syntax for specifying Application layer (program-to-program communications) protocols." Roughly translated, ASN.1 gives disparate systems and applications a common "language" to use when trying to communicate data between them.
This flaw affects all versions of the Windows operating systems after Windows 98- including NT, 2000, XP and Server 2003. Servers are more likely to have services running to decode ASN.1 data - and therefore are a larger security concern, however ASN.1 is so pervasive that its hard to get a handle on just what systems and applications are using it.
Just like last year, with the RPC / DCOM flaw that sparked the MSBlast worm variants, this vulnerability is so widespread that there could be attack vectors that Microsoft hasn't yet considered.
If an attacker successfully exploits this buffer overrun flaw in Microsoft's implementation of ASN.1, they can obtain complete control over the target machine. They would be able to remotely execute malicious code on the target system with System privileges and could do things such as installing software, viewing files, changing or deleting data, create user accounts with administrative privileges and more.
The exploit code to take advantage of this vulnerability already exists. There is no exploit code currently circulating in the wild, but there is enough chatter going on within security and hacker underground web sites that it seems like it won't be long. The detailed write-up about this flaw by Eeye Digital Security, the original discoverers of the issue, gives a substantial amount of detail about what would be needed to exploit the vulnerability as well.
The SQL Slammer worm didn't hit the world until more than six months after Microsoft had released the patch for the flaw- yet many had not patched and it still had a significant impact. The MSBlast worm took only a week or two from the time the vulnerability was announced. The window of opportunity for patching your systems seems to be getting shorter as malicious programmers get faster at taking the exploit code and packaging it into a self-replicating worm or virus.
There is no way to know for sure if a worm exploiting the ASN.1 vulnerability will come out tomorrow, next week, next year - or never. But, we're still in the first half of February and 2004 has already been a very busy year for malware. I would put my money on sooner rather than later and recommend that you work to expedite getting the patches and any other appropriate protective measures in place.
There are a variety of platform specific patches- different patches for Windows NT, Windows 2000, Windows XP and Windows Server 2003 as well as the various service pack levels. Click here to read the details and for the links to the various patches you need to protect your systems: Microsoft Security Bulletin MS04-007.