Security Advisory

Microsoft has released a security bulletin (MS04-007) describing a vulnerability in the parsing of ASN.1 data that could result in remote code execution. This is not a vulnerability in VanDyke applications and there is no need to update VanDyke applications to address this issue. It is, however, a critical vulnerability in affected versions of Windows for which Microsoft updates should be applied immediately.

Posted: February 13, 2004

Description

Microsoft has released a security bulletin (MS04-007) describing a vulnerability in the parsing of ASN.1 data that could result in remote code execution.

This vulnerability is present in many versions of Windows (including Windows NT/2000/XP/2003).

To exploit this vulnerability, an attacker must force a computer to decode malformed ASN.1 data. VanDyke applications that run on Windows can be configured in such a way (such as using Kerberos or X.509 authentication methods) that they could parse ASN.1 data using the system libraries that contain this vulnerability. Therefore, the use of VanDyke applications on unpatched systems could be one way to exploit this vulnerability.

Note, this is not a vulnerability in VanDyke applications and there is no need to update VanDyke applications to address this issue. It is, however, a critical vulnerability in affected versions of Windows for which Microsoft updates should be applied immediately.

Please refer to the following Microsoft Security Bulletin for more information on the vulnerability, affected versions of Windows, and update procedures:

https://learn.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-007