Microsoft Issues Highly Critical Windows Fix
by Arie Slob
Hello Windows users,
This week, Microsoft published two new Windows security fixes (see below) for the month February (after it had published a fix for Internet Explorer the previous week).
One of the fixes has attracted more attention then usual however. It is the MS04-007 fix, pertaining to a vulnerability in the ASN.1 library.
The vulnerability is caused by an unchecked buffer in the ASN.1 Library, which could result in a buffer overflow. An attacker who successfully exploited this buffer overflow vulnerability could execute code with system privileges on an affected system. The attacker could then take any action on the system, including installing programs, viewing data, changing data, deleting data, or creating new accounts with full privileges.
The controversy surrounding this fix is caused by the fact that this vulnerability had been discovered 7 months ago by eEye Digital Security. According to eEye the ASN vulnerability is more dangerous than previous flaws that spawned Nimda, Code Red and Sapphire worms, because the ASN library is widely used by Windows security subsystems, so the vulnerability is exposed through an array of authentication protocols.
Marc Maiffret, chief hacking officer and cofounder of eEye Digital Security criticized Microsoft for the lag time between eEye's discoveries and Microsoft's fixes saying: "We contacted Microsoft about these vulnerabilities 200 days ago, which is insane." Microsoft defends the whopping 7 months it took to fix the flaws as necessary because the company needed to ensure that a patch to such central Windows components didn't break software or cause other problems. "We really took the steps to make sure our investigation was as broad and deep as possible," Microsoft security program manager Stephen Toulouse said.
Security experts Sophos, said computer users should keep a sense of proportion about the flaw, however.
"At the moment, we haven't seen any hackers or worms exploiting this hole, but that doesn't mean computer users don't need to protect their PCs," said Sophos' Graham Cluley, senior technology consultant for Sophos. "Everyone should ensure their computer is patched against this vulnerability as soon as possible. This announcement couldn't have come at a worse time for Microsoft, as they try and build their reputation for security."
So, go and visit windowsupdate.com and get all your friends & relatives to do likewise!
Microsoft Windows Security Bulletin Summary for February, 2004
Severity Rating: Critical
Severity Rating: Important
Recent Support BBS Postings
Changing Taskbar Clock Info - Windows XP
Going to raid, need info - Hardware
Links won't open in a new window - Internet Explorer
Mozilla Firefox 0.8 Release - Netscape and Mozilla
Recommended Web sites
Each month we will feature a few Web sites here, ones which sent us the most visitors to our Web site in the previous month. We would encourage you to visit these popular Web sites yourself!
Here are some sites in the Top 15 for January 2004:
The Top 15 sites are listed on our Web site.
Web Site Updates
These pages were added/updated in the past week. Information on previously updated/added pages is available on the What's New? page for 1 month.
Added: Microsoft Issues Highly Critical Windows Fix
Updated: Microsoft Windows Security Bulletin Summary for February, 2004
Added: Critical Update for Windows Media Player (All Versions)
Critical Update for Windows Media Player (All Versions)
This update contains a change to the behavior of Windows Media Player's ability to launch URLs in the local computer zone from other zones. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.
Supported Operating Systems: Windows 2000, Windows Server 2003, Windows XP
[2.77 MB - English]
Windows 2000 & Windows NT 4 Source Code Leaks
Microsoft Corp. says incomplete portions of the source code were leaked over the Internet, but analysts caution it's too early to say how much damage the leak may cause.
Sources indicate that the data is roughly 650 MB (the size of a typical CD-ROM), whereas the entire source code would probably exceed 40 GB.
Excel 2003/2002 Add-in: MSN Money Stock Quotes
This add-in for Excel 2003 and Excel 2002 allows you to get dynamic stock quotes from the MSN Money Web site. The tools and features found in Excel are particularly well suited to analyzing financial data such as stocks. This add-in allows you to easily gather and study the stocks of interest to you, refresh your quotes when you want, and readily change or modify the quotes gathered.
[387 KB - English]
Other Languages [FR/IT/DE]
Tip: Internet Explorer Cannot Connect to Secure Web Sites
Quite a number of people have been reporting problems connecting to Secure Web sites (the ones that start with https:// ). There are a number of possible causes, which in turn have a number of suggested fixes.
Read Full Article
Tip: Kernel32.dll errors caused by IEXPLORE
When you use Microsoft Internet Explorer to access the Internet, you may receive error messages caused by IEXPLORE.
Read Full Article
Clicking hyperlink in an Outlook Express e-mail message, causes Internet Explorer to display a 404 Object Not Found error page
When you click a hyperlink in an e-mail message in Microsoft Outlook Express, the wrong page appears in Microsoft Internet Explorer, or the following error page appears:
http:/1.0 404 Object Not Found
Read Microsoft Knowledge Base Article
Tell a friend about this Newsletter!
Need Help with Windows? Ask your questions here!
Our Web Sites
Rose City Software