VanDyke Software

Security Advisory

Security Advisory

Microsoft has released a security bulletin (MS04-007) describing a vulnerability in the parsing of ASN.1 data that could result in remote code execution. This is not a vulnerability in VanDyke applications and there is no need to update VanDyke applications to address this issue. It is, however, a critical vulnerability in affected versions of Windows for which Microsoft updates should be applied immediately.


Posted: February 13, 2004

Description

Microsoft has released a security bulletin (MS04-007) describing a vulnerability in the parsing of ASN.1 data that could result in remote code execution.

This vulnerability is present in many versions of Windows (including Windows NT/2000/XP/2003).

To exploit this vulnerability, an attacker must force a computer to decode malformed ASN.1 data. VanDyke applications that run on Windows can be configured in such a way (such as using Kerberos or X.509 authentication methods) that they could parse ASN.1 data using the system libraries that contain this vulnerability. Therefore, the use of VanDyke applications on unpatched systems could be one way to exploit this vulnerability.

Note, this is not a vulnerability in VanDyke applications and there is no need to update VanDyke applications to address this issue. It is, however, a critical vulnerability in affected versions of Windows for which Microsoft updates should be applied immediately.

Please refer to the following Microsoft Security Bulletin for more information on the vulnerability, affected versions of Windows, and update procedures:

http://www.microsoft.com/technet/security/bulletin/MS04-007.asp

 

Technical Support

For further information on the security advisory, please contact VanDyke Software.
 

Official Postings

US-CERT published an advisory on this vulnerability on February 10, 2004.
VanDyke posted this page on 02/13/2004.

 

Revision History

02/13/2004 - Security Advisory published.