[VIM] Verisign ConfigChk ActiveX Overflow(s)

Steven M. Christey coley at linus.mitre.org
Fri Feb 23 13:45:53 EST 2007



> Has anyone determined if there are any differences between the buffer
> overflow covered by US-CERT's VU#308087 and iDefense's advisory #479.
> Both involve the VerCompare() method of the Verisign's Configuration
> Checker ActiveX? SecurityFocus has two BIDs: 22671 and 22676 respectively.

I decided to merge these in CVE.  The correlating data was too close.
And given that the iDEFENSE advisory mentioned there were 2 arguments for
VerCompare(), there isn't much room for different issues.  There only
seems to be one patch coming from Verisign in this time frame.  Now,
iDefense might have mistakenly assumed this was a fix for their vuln -
research orgs sometimes do that - but still, there are other correlators.

> There's an acknowledgement from Verisign of what appears to be a single
> issue (ie, "VeriSign has discovered *a* buffer overrun security
> vulnerability", emphasis mine) here:
>
>    http://www.verisign.com/support/advisories/page_040740.html

In CVE, we'll frequently note - but otherwise dismiss - when vendors talk
about "a" vuln because there are frequently multiple issues.  Everybody
counts vulns differently, vendors least of all.  Though it is strange that
they say *they* discovered it.

- Steve


More information about the VIM mailing list