RE: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption

From: Joe Blatz (sd_wireless_at_yahoo.com)
Date: 02/10/04

  • Next message: Marc Maiffret: "RE: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption" 
    Date: Tue, 10 Feb 2004 11:36:20 -0800 (PST)
To: mmaiffret@eeye.com, BUGTRAQ@securityfocus.com

    In the security bulletin published by MS it states,
    "In the most likely exploitable scenario, an attacker
    would have to have direct access to the user's
    network."

    The bulletin published by eEye states "...applications
    that make use of certificates (SSL, digitally-signed
    e-mail, signed ActiveX controls, etc.) [are
    affected]".

    I see a big disconnect there. Can you address this?
    Also, how would this potentially affect sites that are
    using an MS VPN solution?

    > -----Original Message-----
    > From: Marc Maiffret [mailto:mmaiffret@eeye.com]
    > Sent: Tuesday, February 10, 2004 10:20 AM
    > To: BUGTRAQ@securityfocus.com
    > Subject: EEYE: Microsoft ASN.1 Library Length
    > Overflow Heap Corruption
    >
    > Microsoft ASN.1 Library Length Overflow Heap
    > Corruption
    >
    > Release Date:
    > February 10, 2004
    >
    > Date Reported:
    > July 25, 2003
    >
    > Severity:
    > High (Remote Code Execution)
    >
    > Systems Affected:
    > Microsoft Windows NT 4.0 (all versions)
    > Microsoft Windows 2000 (SP3 and earlier)
    > Microsoft Windows XP (all versions)
    >
    > Software Affected:
    > Microsoft Internet Explorer
    > Microsoft Outlook
    > Microsoft Outlook Express
    > Third-party applications that use certificates
    >
    > Services Affected:
    > Kerberos (UDP/88)
    > Microsoft IIS using SSL
    > NTLMv2 authentication (TCP/135, 139, 445)

    __________________________________
    Do you Yahoo!?
    Yahoo! Finance: Get your refund fast by filing online.
    http://taxes.yahoo.com/filing.html

  • Next message: Marc Maiffret: "RE: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption"

    Relevant Pages

    • =?UTF-8?B?UmU6IEjDtG0gbmF5IGPDsyBnw6wgbOG6oSA/?=
      ... May 2007 saying that Microsoft had approached Yahoo about a friendly ... compelling value realization event for your shareholders. ... While online advertising growth continues, ...
      (soc.culture.vietnamese)
    • Re: Microsoft offers $44.6B for Yahoo
      ... Yahoo, offering Yahoo shareholders cash or stock. ... MS needs to compete against Google ... MS to expand in areas of video, mobile services, online commerce, and ... Microsoft Makes Grab for Yahoo ...
      (misc.news.internet.discuss)
    • Do U want me ?, Got money !
      ... AOL May Become Object Of Microsoft, Yahoo, Google's Desires ... The future of Time Warner Inc's embattled online unit AOL now ... Meanwhile, Microsoft, if it continues to refuse to deal with Yahoo's ...
      (soc.culture.vietnamese)
    • Finally, Microsoft, Yahoo Messenger Customers Can Chat
      ... instant messaging programs to trade messages with one another. ... which include AOL's pioneering AIM service, Microsoft and Yahoo, along ... AOL agreed in December to make its U.S.-market-leading AIM eventually ...
      (comp.dcom.telecom)
    • Re: Mon. 1/28, Tues. 1/29 Big Show Synopses
      ... Are you talking about the Microsoft offer to buy Yahoo!? ... SAN FRANCISCO - Google Inc. raised the specter of Microsoft Corp. using its proposed $42 billion acquisition of Yahoo Inc. to gain illegal control over the Internet, underscoring the online search leader's queasiness about its two biggest rivals teaming up. ...
      (alt.fan.letterman)