Robot B9, where are you? We need you!

* Warning! Warning Will Robinson! SSL vulnerability!

"Warning! Warning Will Robinson!" was the cry of the once cool but now pretty unbelievable Robot B9 from the 1960s television series "Lost in Space."

Given the amazing number of bugs, holes, and required patches it may be time to lure Robot B9 out of retirement. For now, I'm going to start writing about the serious warnings as they appear. Hopefully this will prevent your Web application from being compromised because you simply hadn't heard that there is a problem with product X or subsystem Y.

This time, the problem concerns Microsoft's implementation of the Secure Sockets Layer (SSL) protocol. The Microsoft SSL library can be compromised by a buffer overflow condition when processing PCT 1.0 handshake packets. PCT or Private Communications Technology is a proprietary protocol developed by Microsoft and Visa International and has been supported since IIS Version 4. The intention of PCT was as an alternative to SSL 2.0 but PCT 1.0 (as well as SSL 2.0) has been superseded by SSL 3.0.

Here's where it gets ugly: Even though PCT 1.0 protocol is not commonly used in Microsoft's SSL implementation it is still enabled by default! The buffer overflow vulnerability when processing PCT 1.0 handshake packets can be reliably exploited to provide completely privileged remote control of the affected server.

The vulnerability was discovered by Internet Security System, which confidentially notified Microsoft on Sept. 4, 2003. Microsoft released a patch, er, sorry, a "security update," on April 13 this year, some eight months after being notified! I don't think I need to comment on that...

Once the word got out on April 13, every wannabe hacker was online trying to get into commercial servers - a task made much easier by a hacker who calls himself "Johnny Cyberpunk," who released code that attempts the exploit on a Web site called "The Hacker's Choice."

According to an IIS press release, "Internet hackers based in Brazil, Germany and the Netherlands have launched attacks against some of Australia's largest financial institutions over the Anzac Day long weekend."

The Managing Director of Internet Security Systems (Australia), Kim Duffy, is quoted as saying: "By Friday [April 21, at] 8 a.m. the attacks had escalated significantly and by lunch time we became aware that hackers were trying to infiltrate many of Australia's largest financial institutions."

For more details, see the Common Vulnerabilities and Exposures report CAN-2003-0719.

This is a potentially serious issue for any organization running Microsoft products that uses the SSL library, such as Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME. You are advised to implement the Microsoft patch as a matter of urgency.

Learn more about this topic

Robot B9

Internet Security Systems

Microsoft Security Bulletin MS04-011

Internet Security Systems Security Advisory, April 13, 2004

The Hacker's Choice

IIS Press Release "U.S. Monitors Hacker Attacks on Australia"

Common Vulnerabilities and Exposures (CVE) report CAN-2003-0719

Opteron servers handle growth of Weather.com

Network World, 05/03/04

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies