Full Disclosure mailing list archives
Re: EEYE: Microsoft ASN.1 Library Length Heap Corruption; Security Wire Perspectives, Vol. 6, No. 13, February 16, 2004
From: yossarian <yossarian () planet nl>
Date: Mon, 16 Feb 2004 22:11:43 +0100
It's also necessary to examine how the basics of ASN.1 changed so that now it's an issue for Microsoft, but not for other software vendors. Many believe Microsoft is now suffering from decisions made during the initial design and creation of the Windows 2000 products. At that time Microsoft stated it would add Kerberos, LDAP and other connectivity for providing better access to non-Microsoft standards. Yet, at the time, the software giant also said it would be a Microsoft version of these products, not off the shelf as other vendors had chosen. ASN.1 is a notation, method or formal communication structure by which applications speak to one another. This is very similar to the English language where words are placed in a certain order to convey one idea, then used in a different manner to convey another, making it flexible and scalable to many ideas yet still granular to the communication.
There is another issue i am wondering about - XP Home. I've rarely seen home users with an LDAP, IPSec or Kerberos in their network, nor have I seen an ISP using this. Reading the bulletin, it is inconclusive on Home, just stating 'XP', so I gather 'Home' is vulnerable too. Why have they put support for these corporate schemes in the Home release? IMHO there can't be too much difference in the OS's, except default settings. Which opens the way for companies to use XP Home with some slight modifications to save money - since it can be used to connect to a more complex environment anyway. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: EEYE: Microsoft ASN.1 Library Length Heap Corruption; Security Wire Perspectives, Vol. 6, No. 13, February 16, 2004 Ron DuFresne (Feb 16)
- Re: EEYE: Microsoft ASN.1 Library Length Heap Corruption; Security Wire Perspectives, Vol. 6, No. 13, February 16, 2004 yossarian (Feb 16)