February 10, 2004
Dear Customers,
A new vulnerability in Microsoft windows has been announced.
Microsoft Security Bulletin MS04-007 announces a patch for multiple vulnerabilities in the Microsoft Windows
ASN.1 library (msasn1.dll). According to information from eEye Digital Security, the vulnerabilities involve
integer overflows and other flaws in integer arithmetic. More information is available in two vulnerability
notes:
VU#216324 - Microsoft ASN.1 Library improperly decodes malformed ASN.1 length values
(Other resources: AD20040210, MS04-007, CAN-2003-0818)
VU#583108 - Microsoft ASN.1 Library improperly decodes constructed bit strings
(Other resources: AD20040210-2, MS04-007, CAN-2003-0818)
Impact
An unauthenticated, remote attacker could execute arbitrary code with the privileges of the process using the
ASN.1 library. In the case of most server and authentication applications, an attacker could gain SYSTEM
privileges.
Solution
Apply a patch
Apply the appropriate patch as specified by Microsoft Security Bulletin MS04-007.
The appropriate patch should be applied if you are using any of the following
Microsoft Operating Systems:
Systems Affected
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 TSE
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
This is an advisory, please contact Microsoft or visit their web
page at: http://www.microsoft.com/technet/security/bulletin/MS04-007.asp
for further information.
Regards,
The staff @air-internet.com
