S/MIME vulnerability requires vendor-specific patches

Hundreds of potentially affected vendors are rushing to create patches for a security vulnerability in the S/MIME protocol that may permit a denial of service.

Hundreds of potentially affected vendors are rushing to create patches for a security vulnerability in the S/MIME...

protocol that may permit a denial of service.

Originally, e-mail consisted entirely of text. The MIME (multipurpose Internet mail extensions) protocol was devised to allow non-text items (graphics, sound, binary objects) to be represented as text and sent via e-mail. The S/MIME (secure multipurpose Internet mail extensions) addition enables this exchange to be done securely, and is commonly used for digital signatures and encrypted e-mail.

The problem is that the secure portion of an e-mail attachment is encoded with ASN.1 (Abstract Syntax Notation One). A remote attacker could use an exceptional ASN.1 element that the S/MIME implementation might not be able to handle. This could cause a denial-of-service. There is also a small possibility that a buffer overflow could be exploited to execute arbitrary code.

Since S/MIME is implemented differently by different vendors, each vendor must test their implementation, and provide their own patch if vulnerable.

Dig Deeper on Email and Messaging Threats (spam, phishing, instant messaging)

PRO+

Content

Find more PRO+ content and other member only offers, here.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close