More Patches in Pipeline from Microsoft

eEye Digital Security has savaged Microsoft for taking more than six months to patch a critical security vulnerability in Windows' implementation of ASN.1, which says it identified in July 2003. Marc Maiffret branded the response "ridiculous" and has produced a web page detailing three additional high impact security vulnerabilities that the firm reported to Microsoft more than three months ago.

According to eEye, the vulnerabilities include a remote exploit that could allow attackers to gain system privileges, and a denial of service strategy that could "total system failure." Both vulnerabilities were reported Sept. 10, and affect default installations of Windows in use on more than 300 million computers, including Windows NT, Windows 2000, Windows XP and Windows Server 2003. eEye reported an additional high-risk remote exploit on Oct. 8.

"Full details of each vulnerability will be disclosed to the public at the time a patch is released from the vendor," eEye says in its advisory.

The potential buffer overflow patched yesterday by Microsoft could be exploited through a range of applications running on Windows, including Secure Sockets Layer (SSL) under IIS, Microsoft's Kerberos implementation, digitally-signed ActiveX controls and third-party software using encryption certificates. It stems from a potential buffer oveflow in the way Windows uses Abstract Syntax Notation 1 (ASN.1), a standard commonly used to exchange data between different platforms.

The possibility of an exploit targeting ASN.1 has been a long term concern for Internet security practitioners, and, for example, Bill Hancock expressed specific concern during Congressiona l testimony in November, citing "lack of security controls in base networking protocols and 'building block' protocols such as Abstract Syntax Notation.1 (ASN.1)."