S/MIME vulnerability requires vendor-specific patches

By Edmund X. DeJesus, SearchSecurity.com Contributor 05 Nov 2003 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Hundreds of potentially affected vendors are rushing to create patches for a security vulnerability in the S/MIME protocol that may permit a denial of service.

Originally, e-mail consisted entirely of text. The MIME (multipurpose Internet mail extensions) protocol was devised to allow non-text items (graphics, sound, binary objects) to be represented as text and sent via e-mail. The S/MIME (secure multipurpose Internet mail extensions) addition enables this exchange to be done securely, and is commonly used for digital signatures and encrypted e-mail.

The problem is that the secure portion of an e-mail attachment is encoded with ASN.1 (Abstract Syntax Notation One). A remote attacker could use an exceptional ASN.1 element that the S/MIME implementation might not be able to handle. This could cause a denial-of-service. There is also a small possibility that a buffer overflow could be exploited to execute arbitrary code.

Since S/MIME is implemented differently by different vendors, each vendor must test their implementation, and provide their own patch if vulnerable.

Digg This!     StumbleUpon     Del.icio.us

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary