That is, if you actually need more reasons for distrusting Verisign...

VeriSign ConfigChk ActiveX Control Buffer Overflow Vulnerability

iDefense Security Advisory 02.22.07
http://labs.idefense.com/intelligence/vulnerabilities/
Feb 22, 2007

I. BACKGROUND

The ConfigChk ActiveX Control is part of VeriSign Inc.'s MPKI, Secure
Messaging for Microsoft Exchange and Go Secure! products. It looks for the
Microsoft Enhanced Cryptographic Provider in order to support 1024-bit
cryptography.

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in VeriSign Inc.'s
ConfigChk ActiveX Control could allow an attacker to execute arbitrary
code within the security context of the victim.

The ActiveX control in question, identified by CLSID
08F04139-8DFC-11D2-80E9-006008B066EE, is marked as being safe for
scripting.

The vulnerability specifically exists when processing lengthy parameters
passed to the VerCompare() method. If either of the two parameters passed
to this method are longer than 28 bytes, stack memory corruption will
occur. This amounts to a trivially exploitable stack-based buffer
overflow.

Original advisory here

[ published on Fri 23.02.2007 17:25 | filed in interests/anti | ]
Debian Silver Server
© Alexander Zangerl