News Stay informed about the latest enterprise technology news and product updates.

S/MIME vulnerability requires vendor-specific patches

Hundreds of potentially affected vendors are rushing to create patches for a security vulnerability in the S/MIME protocol that may permit a denial of service.

Hundreds of potentially affected vendors are rushing to create patches for a security vulnerability in the S/MIME protocol that may permit a denial of service.

Originally, e-mail consisted entirely of text. The MIME (multipurpose Internet mail extensions) protocol was devised to allow non-text items (graphics, sound, binary objects) to be represented as text and sent via e-mail. The S/MIME (secure multipurpose Internet mail extensions) addition enables this exchange to be done securely, and is commonly used for digital signatures and encrypted e-mail.

The problem is that the secure portion of an e-mail attachment is encoded with ASN.1 (Abstract Syntax Notation One). A remote attacker could use an exceptional ASN.1 element that the S/MIME implementation might not be able to handle. This could cause a denial-of-service. There is also a small possibility that a buffer overflow could be exploited to execute arbitrary code.

Since S/MIME is implemented differently by different vendors, each vendor must test their implementation, and provide their own patch if vulnerable.

Dig Deeper on Email and Messaging Threats-Information Security Threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close