Microsoft ASN flaw may be biggest defect ever found
- Subject: Microsoft ASN flaw may be biggest defect ever found
- From: Gary Stoneburner <gary.stoneburner@nist.gov>
- Date: Thu, 12 Feb 2004 11:09:33 -0500
- Content-Type: multipart/alternative; boundary="=====================_7944828==.ALT"
re:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci949830,00.html
re: MSO4-007,
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS04-007.asp
re: CAN-2003-0818,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818
re: National Cyber Alert,TA04-041A,
http://www.us-cert.gov/cas/techalerts/TA04-041A.html
"It's the biggest Microsoft flaw we've found -- maybe the biggest
ever found," said Marc Maiffret, chief hacking officer at Aliso
Viejo, Calif.-based eEye Digital Security, which discovered the flaw.
"Because it's in a shared component, it has multiple avenues for
attacks -- everything from file sharing to IPSec."
"In particular, ASN.1 is used by a number of cryptographic and
authentication services such as digital certificates (x.509), Kerberos,
NTLMv2, SSL and TLS," according to the CERT advisory. "Both
client and server systems are affected. The Local Security Authority
Subsystem (lsass.exe) and a component of the CryptoAPI (crypt32.dll) use
the vulnerable ASN.1 library."
Cheers,
Gary
**************************************************************************
* Opinions expressed are not intended to reflect an official
position
**************************************************************************
* Gary
Stoneburner
* Computer Security Division, National Institute of Standards &
Technology
* 100 Bureau Drive, Stop 8930, Gaithersburg, MD
20899-8930
* Phone: 301-975-5394, FAX: 301-948-0279, Email: Stoneburner@nist.gov
*
http://csrc.nist.gov/staff/stoneburner/gshome.html
**************************************************************************
Date Index |
Thread Index |
Problems or questions? Contact list-master@nist.gov