[Dshield] Microsoft ASN.1

Doug White doug at clickdoug.com
Thu Feb 12 18:02:09 GMT 2004

In my opinion, it is very risky to NOT make sure *ALL* Windows machines
(Clients, especially) are patched, plus running (with current definitions) a
good A/V program.

The majority of virus propagation is coming from client machines where security
policies such as A/V and patching is neglected.  One infected machine whether
internal to your network or a remote client can wreck havoc on your entire
network in very short order.

Even the practice of setting up a new machine and then connecting to the net for
downloading and applying service packs and updates, frequently become infected
during the process of downloading the updates.  This is especially true when the
new installation is assigned a static IP number prior to the updates, firewall
and A/V installation.

Home users, even those on dial-ups, but especially those on "always on"
broadband connections are especially at risk of infection when firewall, A/V
(current definitions) and patches are not aggressively kept up to date.

On our network, we use scripting that checks at the time of login for needed
patches and A/V definitions and require the download and application prior to
accepting the login.  In fact we have been doing this since the NT days.  This
used to aggravate some users, but management stands behind the policy and we are
sticking to it.

Stop spam on your domain, Anti-spam solutions
For hosting solutions http://www.clickdoug.com
Aspire to Inspire before you Retire or Expire!

----- Original Message ----- 
From: "Corinne Cook" <corinnec at abdi.com>
To: "'General DShield Discussion List'" <list at dshield.org>
Sent: Thursday, February 12, 2004 10:38 AM
Subject: RE: [Dshield] Microsoft ASN.1

: Does anyone have any thoughts on the following related to possible ASN.1
: attacks with this vulnerability:
: First, how easy is this to exploit on a client versus a server?  If only
: servers are patched and clients are behind firewalls how likely and how
: severe could a network full of unpatched clients be?  I know Microsoft said
: to patch all machines, but I know people who think this is a server side
: issue almost entirely and are not going to patch clients (even remote laptop
: users).
: Would a home user with no firewall (stand alone, not networked) be easily
: infected without some action on their part (like the Blaster infection?)?
: I am new to understanding attacks such as these and I'm trying to learn some
: programming and theories so I can better understand application level
: vulnerabilities and attacks, so I am wondering if there are others here who
: understand these better and can explain these a little better.  I know ASN.1
: is more of a mother language for networking and not really a language like
: C/+/#, etc., but I would assume some of the same rules hold generally true?
: Thanks,
: Corinne Cook
: -----Original Message-----
: From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
: Behalf Of Brian Dessent
: Sent: Wednesday, February 11, 2004 4:56 PM
: To: General DShield Discussion List
: Subject: Re: [Dshield] Microsoft ASN.1
: Dragos Ruiu wrote:
: > David Meltzer had this fine snort signature for it:
: >
: > alert tcp any any -> any any (msg:"Possible ASN.1 Exploit Attempt")
: Better hope that you have plenty of free space on the mount that
: contains your log files, if you use this one...
: Brian
: _______________________________________________
: list mailing list
: list at dshield.org
: To change your subscription options (or unsubscribe), see:
: http://www.dshield.org/mailman/listinfo/list
: _______________________________________________
: list mailing list
: list at dshield.org
: To change your subscription options (or unsubscribe), see:

More information about the list mailing list