Microsoft issues patches for three new Windows vulnerabilities

Computerworld - Microsoft Corp. today issued fixes for one "critical" and two "important" flaws in several versions of its Windows software, including Windows Server 2003, under the company's monthly patch-update program.
The critical flaw involves an unchecked buffer in Microsoft's Abstract Syntax Notation One (ASN.1) Library, which provides a generic way of representing data across different applications, according to Microsoft Security Bulletin MS04-007.
The vulnerability could allow hackers to take complete control of a compromised system to install malicious programs, modify or delete data, or create new administrative accounts.
It affects a wide range of Windows software, including Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003. "Because ASN.1 is a standard for many applications and devices, there are many potential attack vectors," the Microsoft advisory said.
Particularly worrisome is the fact that the ASN library is widely used by Windows security subsystems, according to an advisory from eEye Digital Security, which uncovered the vulnerability.
That could allow attackers to construct malformed authentication requests that could expose the vulnerability, said Mike Reavey, security program manager at Microsoft's security response center. As a result, he said, "we do strongly encourage our customers to apply this update."
"Typically, with some severe vulnerabilities, you have some way to mitigate it," said Marc Maiffret, chief hacking officer at eEye. "Because this flaw affects so many different applications, there is no way to mitigate this. Only downloading the patch will help."
Aliso Viejo, Calif.-based eEye first notified Microsoft of the problem back in July, but it took the company over 200 days to issue a fix, Maiffret said. "They gave us some really bad excuses" about why it was taking so long to fix the issue, he said.
According to Reavey, however, that time was needed to adequately address the problem. "We really needed to do due diligence and look at the broadest possible implications" of the vulnerability before issuing an update, he said.
Also announced today was a vulnerability in the Windows Internet Naming Service that under some conditions could be exploited to launch denial-of-service attacks on Windows 2003 servers, according to Microsoft Security Bulletin MS04-006.
The flaw, which was rated as "important" for Windows 2003 Server, affects other versions of Windows as well, but only has a "low" impact on such systems, said Microsoft, which released patches and work-around for the problem.
The third flaw involves Microsoft Virtual PC for Macintosh systems. The "privilege escalation" flaw, which Microsoft rated as "important," could allow attackers to take complete control of compromised systems, according to a Microsoft security bulletin.
Microsoft Virtual PC for Mac allows users to run Microsoft Windows applications on the Macintosh platform.