“Full details of each vulnerability will be disclosed to the public at the time a patch is released from the vendor,” eEye says in its advisory.
The potential buffer overflow patched yesterday by Microsoft could be exploited through a range of applications running on Windows, including Secure Sockets Layer (SSL) under IIS, Microsoft’s Kerberos implementation, digitally-signed ActiveX controls and third-party software using encryption certificates. It stems from a potential buffer oveflow in the way Windows uses Abstract Syntax Notation 1 (ASN.1), a standard commonly used to exchange data between different platforms.
The possibility of an exploit targeting ASN.1 has been a long term concern for Internet security practitioners, and, for example, Bill Hancock expressed specific concern during Congressiona l testimony in November, citing “lack of security controls in base networking protocols and ‘building block’ protocols such as Abstract Syntax Notation.1 (ASN.1).”