ISS Security Brief: Microsoft ASN.1 Integer Manipulation Vulnerabilities

From: X-Force (
Date: 02/11/04

  • Next message: X-Force: "ISS Security Brief: Microsoft ASN.1 Integer Manipulation Vulnerabilities"
    Date: Wed, 11 Feb 2004 12:54:50 -0500 (EST)


    Internet Security Systems Security Brief
    February 11, 2004

    Microsoft ASN.1 Integer Manipulation Vulnerabilities


    Microsoft has release Security Bulletin MS04-007 to address vulnerabilities
    in the ASN.1 parsing component of the Windows Operating Systems. This
    component is used by several applications for transmission of data across
    the network. Some examples of applications which make use of ASN.1 include
    Internet Explorer and IIS for certificate parsing, NTLMv2 authentication,
    Kerberos authentication, ISAKMP, LDAP and Exchange.


    The vulnerability could be exploited by remote attackers to cause a Denial
    of Service (DoS) or potentially gain access to a vulnerable machine with
    the privileges of the services being exploited. This vulnerability may be
    exploited in many default configurations if vulnerable services are remotely

    There are currently no known exploits in the wild for this issue. Due to
    the nature of this vulnerability, reliable and successful remote
    exploitation is considered difficult.

    Known Affected Products:

    Microsoft Windows NT4, 2000, XP and 2003 when used with one of the
    following applications:

    - - NTLMv2 authentication
    - - Internet Explorer
    - - Outlook
    - - IIS 4.0, 5.0, 5.1 and 6.0 with client certificate parsing enabled
    - - ISAKMP/IPSec
    - - Exchange 5.x, 2000, 2003
    - - LDAP
    - - Kerberos

    For complete ISS X-Force Security Alert, please visit:


    About Internet Security Systems (ISS)
    Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
    pioneer and world leader in software and services that protect critical
    online resources from an ever-changing spectrum of threats and misuse.
    Internet Security Systems is headquartered in Atlanta, GA, with
    additional operations throughout the Americas, Asia, Australia, Europe
    and the Middle East.

    Copyright (c) 2003 Internet Security Systems, Inc. All rights reserved

    Permission is hereby granted for the electronic redistribution of this
    document. It is not to be edited or altered in any way without the
    express written consent of the Internet Security Systems X-Force. If
    you wish to reprint the whole or any part of this document in any other
    medium excluding electronic media, please email for

    Disclaimer: The information within this paper may change without notice.
    Use of this information constitutes acceptance for use in an AS IS
    condition. There are NO warranties, implied or otherwise, with regard to
    this information or its use. Any use of this information is at the
    user's risk. In no event shall the author/distributor (Internet Security
    Systems X-Force) be held liable for any damages whatsoever arising out
    of or in connection with the use or spread of this information.

    X-Force PGP Key available on MIT's PGP key server and's key
    server, as well as at
    Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc.

    Version: 2.6.2

    -----END PGP SIGNATURE-----

  • Next message: X-Force: "ISS Security Brief: Microsoft ASN.1 Integer Manipulation Vulnerabilities"