-----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Brief February 11, 2004 Microsoft ASN.1 Integer Manipulation Vulnerabilities Synopsis: Microsoft has release Security Bulletin MS04-007 to address vulnerabilities in the ASN.1 parsing component of the Windows Operating Systems. This component is used by several applications for transmission of data across the network. Some examples of applications which make use of ASN.1 include Internet Explorer and IIS for certificate parsing, NTLMv2 authentication, Kerberos authentication, ISAKMP, LDAP and Exchange. Impact: The vulnerability could be exploited by remote attackers to cause a Denial of Service (DoS) or potentially gain access to a vulnerable machine with the privileges of the services being exploited. This vulnerability may be exploited in many default configurations if vulnerable services are remotely accessible. There are currently no known exploits in the wild for this issue. Due to the nature of this vulnerability, reliable and successful remote exploitation is considered difficult. Known Affected Products: Microsoft Windows NT4, 2000, XP and 2003 when used with one of the following applications: - - NTLMv2 authentication - - Internet Explorer - - Outlook - - IIS 4.0, 5.0, 5.1 and 6.0 with client certificate parsing enabled - - ISAKMP/IPSec - - Exchange 5.x, 2000, 2003 - - LDAP - - Kerberos For complete ISS X-Force Security Alert, please visit: http://xforce.iss.net/xforce/alerts/id/164 ______ About Internet Security Systems (ISS) Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and services that protect critical online resources from an ever-changing spectrum of threats and misuse. Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. Copyright (c) 2003 Internet Security Systems, Inc. All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this document. It is not to be edited or altered in any way without the express written consent of the Internet Security Systems X-Force. If you wish to reprint the whole or any part of this document in any other medium excluding electronic media, please email xforceiss.net for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, as well as at http://www.iss.net/security_center/sensitive.php Please send suggestions, updates, and comments to: X-Force xforceiss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBQCpsNzRfJiV99eG9AQGzRAP9FVg7FqNv0S6HSry1fCNq6QjpTAjX+Y8k 4FpGwwN27q4MnnIqNpLQtepPilqaUQtjo0PajDzzuwWAxy827fzVFfuD5m6RNNdA Q/oOwKdqzMixXwFDGq3zbzhTQdiRUijbWEqHIvNHaFg1Khp+maWgxMlhgTee+i7T gKeSmdj9j8M= =JHcy -----END PGP SIGNATURE-----