Re: EEYE: Microsoft ASN.1 Library Length Heap Corruption; Security Wire Perspectives, Vol. 6, No. 13, February 16, 2004

[yossarian <yossarian () planet nl>]

> It's also necessary to examine how the basics of ASN.1 changed so
> that now it's an issue for Microsoft, but not for other software
> vendors. Many believe Microsoft is now suffering from decisions made
> during the initial design and creation of the Windows 2000 products.
> At that time Microsoft stated it would add Kerberos, LDAP and other
> connectivity for providing better access to non-Microsoft standards.
> Yet, at the time, the software giant also said it would be a
> Microsoft version of these products, not off the shelf as other
> vendors had chosen.
>
> ASN.1 is a notation, method or formal communication structure by
> which applications speak to one another. This is very similar to the
> English language where words are placed in a certain order to convey
> one idea, then used in a different manner to convey another, making
> it flexible and scalable to many ideas yet still granular to the
> communication.
There is another issue i am wondering about - XP Home. I've rarely seen home
users with an LDAP, IPSec or Kerberos in their network, nor have I seen an
ISP using this. Reading the bulletin, it is inconclusive on Home, just
stating 'XP', so I gather 'Home' is vulnerable too. Why have they put
support for these corporate schemes in the Home release? IMHO there can't be
too much difference in the OS's, except default settings. Which opens the
way for companies to use XP Home with some slight modifications to save
money - since it can be used to connect to a more complex environment
anyway.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html