Hackers take advantage of Microsoft ASN flaw

Hackers have already found a way to take advantage of a critical security hole disclosed by Microsoft last week.

A short computer program that exploits the vulnerability, in a common Windows component called the ASN.1 Library, was posted to the Internet Saturday. However, one security expert says the exploit code does not pose a risk to confidential data stored on vulnerable systems.

Computer code for the program appeared on a French language Web page, a popular outlet for software exploits, and was examined in online computer security discussion groups Saturday.

The program will cause machines using a vulnerable version of the ASN.1 Library to reboot, producing a so-called “denial of service” attack, said Neil Mehta, research engineer at Internet Security Systems Inc.

However, the exploit program will not allow a remote attacker to run malicious code or access files on vulnerable machines. That makes it less dangerous than previous software exploits, such as code that takes advantage of a hole in the Distributed Component Object Model (DCOM) exploit that preceded the Blaster worm, he said.

ASN, or Abstract Syntax Notation, is an international standard for representing different types of binary data such as numbers or strings of text. The ASN.1 Library is used by a wide range of Windows features and software, security experts said.

The ASN.1 exploit targets a Windows authentication protocol known as NT LAN Manager V2, or NTLMV2, that is used to authenticate users and allow them to connect to remote machines on a network. NTLMV2 is enabled by default on most Windows desktops and servers and can be reached through a number of communications ports on Windows machines using ASN.1 to encode the data that is sent back and forth, Mehta said.

The nature of the ASN.1 vulnerability makes it harder to exploit than the DCOM vulnerability because the attacker does not have control over the area of the computer’s memory (or “heap”) that is wiped out in the attack. That makes it difficult to produce reliable results on every vulnerable Windows machines, he said.

However, there is some evidence that malicious hackers are working to refine the attack and produce a version of the exploit that will give attackers total control over vulnerable systems, said Ken Dunham, director of malicious code at iDefense in Reston, Va.

IDefense has been monitoring online Internet chat groups and has heard reports that an exploit for ASN.1 that gives attackers remote control of systems exists, but has not been released, he said.

Regardless of the danger posed by the exploit, the mere presence of code using the ASN.1 vulnerability should prompt most corporations to immediately patch any systems accessible from the Internet, and to follow by patching internal servers and desktops, Dunham said.

Systems protected by an Internet firewall are probably safe from attack for now. However, home users, especially those with broadband Internet connections, are vulnerable to attack, Mehta said.