[VIM] Verisign ConfigChk ActiveX Overflow(s)

Stuart Moore smoore at securityglobal.net
Fri Feb 23 17:07:42 EST 2007


Steve,

iDefense is owned by VeriSign, so, "they" did indeed discover a 
vulnerability in their own product.

Stuart


Steven M. Christey wrote:
> 
>> Has anyone determined if there are any differences between the buffer
>> overflow covered by US-CERT's VU#308087 and iDefense's advisory #479.
>> Both involve the VerCompare() method of the Verisign's Configuration
>> Checker ActiveX? SecurityFocus has two BIDs: 22671 and 22676 respectively.
> 
> I decided to merge these in CVE.  The correlating data was too close.
> And given that the iDEFENSE advisory mentioned there were 2 arguments for
> VerCompare(), there isn't much room for different issues.  There only
> seems to be one patch coming from Verisign in this time frame.  Now,
> iDefense might have mistakenly assumed this was a fix for their vuln -
> research orgs sometimes do that - but still, there are other correlators.
> 
>> There's an acknowledgement from Verisign of what appears to be a single
>> issue (ie, "VeriSign has discovered *a* buffer overrun security
>> vulnerability", emphasis mine) here:
>>
>>    http://www.verisign.com/support/advisories/page_040740.html
> 
> In CVE, we'll frequently note - but otherwise dismiss - when vendors talk
> about "a" vuln because there are frequently multiple issues.  Everybody
> counts vulns differently, vendors least of all.  Though it is strange that
> they say *they* discovered it.
> 
> - Steve
> 


More information about the VIM mailing list