Hundreds of potentially affected vendors are rushing to create patches for a security vulnerability in the S/MIME protocol that may permit a denial of service.
Originally, e-mail consisted entirely of text. The MIME (multipurpose Internet mail extensions) protocol was devised to allow non-text items (graphics, sound, binary objects) to be represented as text and sent via e-mail. The S/MIME (secure multipurpose Internet mail extensions) addition enables this exchange to be done securely, and is commonly used for digital signatures and encrypted e-mail.
The problem is that the secure portion of an e-mail attachment is encoded with ASN.1 (Abstract Syntax Notation One). A remote attacker could use an exceptional ASN.1 element that the S/MIME implementation might not be able to handle. This could cause a denial-of-service. There is also a small possibility that a buffer overflow could be exploited to execute arbitrary code.
Since S/MIME is implemented differently by different vendors, each vendor must test their implementation, and provide their own patch if vulnerable.
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director