<<< Date Index >>>     <<< Thread Index >>>

Re: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption



On Wed, Feb 11, 2004 at 07:04:31PM -0000, Boyce, Nick wrote:
>   version:  4.4.3388
[snip]
> The file versions for MSASN1.DLL listed in
> http://www.microsoft.com/technet/security/bulletin/MS04-007.asp
> are all of the form 5.m.nnnn.x, so it may be that the Win98
> version is so much older that it doesn't contain the vulnerable
> code ...

If reference implementation is flawed, then "may be" seems not.
And it's reported as such.

If Microsoft were to support "legacy users", they'd put out a
public update for that; else at least considerable part of those
are left with something like zlib-related headache: buried deep
down there and unsupported thus not fixed, but you never know if
someone really needs to get in.

-- 
 ---- WBR, Michael Shigorin <mike@xxxxxxxxxxx>
  ------ Linux.Kiev http://www.linux.kiev.ua/

Attachment: pgpEr2zjfOzpP.pgp
Description: PGP signature