‘Windows CryptoAPI Null Truncation and Integer Overflow Vulnerabilities’

Summary

These vulnerabilities could allow spoofing if an attacker gains access to the certificate used by the end user for authentication.’

Credit:

‘The information has been provided by Ian Wright, Jean-Luc Giraud, Dan Kaminsky and Microsoft.
The original article can be found at: http://www.microsoft.com/technet/security/bulletin/ms09-056.mspx


Details

Vulnerable Systems:
 * Microsoft Windows 2000
 * Windows XP
 * Windows Server 2003
 * Windows Vista
 * Windows Server 2008
 * Windows 7

This security update is rated Important for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7.

The security update addresses the vulnerabilities by modifying the CryptoAPI to reject certificate names that contain null terminators, and to correctly validate ASN.1 object identifiers.

Patch Availability:
http://go.microsoft.com/fwlink/?LinkID=40747

CVE Information:
CVE-2009-2510
CVE-2009-2511

Categories: UNIX