[VIM] Verisign ConfigChk ActiveX Overflow(s)
Stuart Moore
smoore at securityglobal.net
Fri Feb 23 17:07:42 EST 2007
Steve,
iDefense is owned by VeriSign, so, "they" did indeed discover a
vulnerability in their own product.
Stuart
Steven M. Christey wrote:
>
>> Has anyone determined if there are any differences between the buffer
>> overflow covered by US-CERT's VU#308087 and iDefense's advisory #479.
>> Both involve the VerCompare() method of the Verisign's Configuration
>> Checker ActiveX? SecurityFocus has two BIDs: 22671 and 22676 respectively.
>
> I decided to merge these in CVE. The correlating data was too close.
> And given that the iDEFENSE advisory mentioned there were 2 arguments for
> VerCompare(), there isn't much room for different issues. There only
> seems to be one patch coming from Verisign in this time frame. Now,
> iDefense might have mistakenly assumed this was a fix for their vuln -
> research orgs sometimes do that - but still, there are other correlators.
>
>> There's an acknowledgement from Verisign of what appears to be a single
>> issue (ie, "VeriSign has discovered *a* buffer overrun security
>> vulnerability", emphasis mine) here:
>>
>> http://www.verisign.com/support/advisories/page_040740.html
>
> In CVE, we'll frequently note - but otherwise dismiss - when vendors talk
> about "a" vuln because there are frequently multiple issues. Everybody
> counts vulns differently, vendors least of all. Though it is strange that
> they say *they* discovered it.
>
> - Steve
>
More information about the VIM
mailing list