>From the MS04-07 bulletin, Windows 9x is not mentioned. Someone has asked whether Windows 98 is vulnerable to this attack or not. It could be that Windows 98/ME are vulnerable to this attack through the installation of Office suite. The following link refers to the msasn1.dll on Windows ME. But, Windows ME is not included in the security bulletin on Microsoft website. Then, the question is whether Windows ME is vulnerable to this attack? http://216.239.41.104/search?q=cache:bi0p-l5diJ4J:24.229.94.2/crypt32_import s.html+ASN1BERDecOctetString&hl=en&ie=UTF-8 Below are a snapshot for usage of MSASN1.DLL. What a "monoculture vulnerability" as far as the DLL base address is concerned! ======================== On Windows NT: 30 Module: 6af00000: C:\WINNT\System32\MSAsn1.DLL for E:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE On Windows 2K: 30 Module: 77430000: F:\WIN2K\system32\MSASN1.DLL for \??\F:\WIN2K\SYSTEM32\WINLOGON.EXE 58 Module: 77430000: F:\WIN2K\system32\MSASN1.DLL for F:\WIN2K\SYSTEM32\SERVICES.EXE 16 Module: 77430000: F:\WIN2K\system32\MSASN1.DLL for F:\WIN2K\SYSTEM32\LSASS.EXE 47 Module: 77430000: F:\WIN2K\system32\MSASN1.DLL for F:\WIN2K\SYSTEM32\SPOOLSV.EXE 56 Module: 77430000: f:\win2k\system32\MSASN1.DLL for F:\WIN2K\SYSTEM32\SVCHOST.EXE 40 Module: 77430000: F:\WIN2K\system32\MSASN1.DLL for F:\PROGRA~1\MICROS~3\MSSQL\BINN\SQLSERVR.EXE 26 Module: 77430000: F:\WIN2K\system32\MSASN1.DLL for F:\WIN2K\SYSTEM32\INETSRV\INETINFO.EXE 11 Module: 77430000: F:\WIN2K\System32\MSASN1.DLL for F:\WIN2K\SYSTEM32\MQSVC.EXE On Windows XP: 11 Module: 762a0000: C:\WINDOWS\system32\MSASN1.dll for \??\C:\WINDOWS\SYSTEM32\WINLOGON.EXE 15 Module: 762a0000: C:\WINDOWS\system32\MSASN1.dll for C:\WINDOWS\SYSTEM32\LSASS.EXE 39 Module: 762a0000: C:\WINDOWS\system32\MSASN1.dll for C:\WINDOWS\SYSTEM32\SVCHOST.EXE 20 Module: 762a0000: C:\WINDOWS\system32\MSASN1.dll for C:\WINDOWS\SYSTEM32\SVCHOST.EXE 24 Module: 762a0000: C:\WINDOWS\system32\MSASN1.dll for C:\WINDOWS\SYSTEM32\SPOOLSV.EXE 40 Module: 762a0000: C:\WINDOWS\system32\MSASN1.dll for C:\WINDOWS\EXPLORER.EXE 34 Module: 762a0000: C:\WINDOWS\system32\MSASN1.dll for C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE 29 Module: 762a0000: C:\WINDOWS\system32\MSASN1.dll for C:\WINDOWS\HH.EXE 67 Module: 762a0000: C:\WINDOWS\system32\MSASN1.dll for C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\ACROBAT\ACROBAT.EXE ======================== So, it seems that potential exploit of this vulnerability can be direct like DCOM-RPC or through emails or even PDF files? Peter Huang http://www.ossecurity.ca/ MyDoom, YourDoom, are we all doomed? > -----Original Message----- > From: Marc Maiffret [mailto:mmaiffret@eeye.com] > Sent: Tuesday, February 10, 2004 3:47 PM > To: Tina Bird > Cc: Joe Blatz; BUGTRAQ@securityfocus.com > Subject: RE: EEYE: Microsoft ASN.1 Library Length Overflow Heap > Corruption > > > Yes, I am not sure what Microsoft did with the wording there that seems > to be misleading to at least a few people so far.
