[33737] in bugtraq
Re: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption
daemon@ATHENA.MIT.EDU (Michael Shigorin)
Mon Feb 16 15:02:29 2004
Date: Sat, 14 Feb 2004 13:13:18 +0200
From: Michael Shigorin <mike@osdn.org.ua>
To: "Boyce, Nick" <nick.boyce@eds.com>
Cc: BUGTRAQ@securityfocus.com, "'Marc Maiffret'" <mmaiffret@eeye.com>
Message-ID: <20040214111318.GY16617@osdn.org.ua>
Mail-Followup-To: "Boyce, Nick" <nick.boyce@eds.com>,
BUGTRAQ@securityfocus.com, 'Marc Maiffret' <mmaiffret@eeye.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="zOr5JpMIiGv/Oaxu"
Content-Disposition: inline
In-Reply-To: <5F5FDD4B3580D511B3700002A57493F8FF27A7@gbhbm201.exgb01.exch.eds.com>
--zOr5JpMIiGv/Oaxu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Wed, Feb 11, 2004 at 07:04:31PM -0000, Boyce, Nick wrote:
> version: 4.4.3388
[snip]
> The file versions for MSASN1.DLL listed in
> http://www.microsoft.com/technet/security/bulletin/MS04-007.asp
> are all of the form 5.m.nnnn.x, so it may be that the Win98
> version is so much older that it doesn't contain the vulnerable
> code ...
If reference implementation is flawed, then "may be" seems not.
And it's reported as such.
If Microsoft were to support "legacy users", they'd put out a
public update for that; else at least considerable part of those
are left with something like zlib-related headache: buried deep
down there and unsupported thus not fixed, but you never know if
someone really needs to get in.
--
---- WBR, Michael Shigorin <mike@altlinux.ru>
------ Linux.Kiev http://www.linux.kiev.ua/
--zOr5JpMIiGv/Oaxu
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFALgLObsPDprYMm3IRAjOQAJ0cjsXQoQUwqWH68E/04KhVJc8QLQCfbp/r
btV93x+eLw3xALSaEnepGbo=
=Qm1U
-----END PGP SIGNATURE-----
--zOr5JpMIiGv/Oaxu--
