You Are Here:

US Home > Support > Advisories > Managed PKI Client Security Vulnerability Patch

Advisories

Managed PKI Client Security Vulnerability Patch

Subject: Additional steps needed to address the Buffer Overrun Vulnerability found in Managed PKI Client site kit

Date: March 27th, 2007

Dear VeriSign Managed PKI Client Customer,

Summary

In a previous communication dated February 14th, 2007, details were provided regarding a security vulnerability in an ActiveX Control that exists in the Managed PKI Client site kit.  After further analysis conducted by VeriSign, it was found that additional steps are required by customers to address this vulnerability. Even after updating the CAB file in the Managed PKI Client site kit, the updated ActiveX control may not be delivered automatically to computers by visiting the enrollment pages.

Recommended Action

VeriSign is providing a web site where users can check for the vulnerable ActiveX Control and patch as appropriate. Customers may point their users to this URL:

https://www.verisign.com/support/mpki-support/vsvulnote.htm

Users will be prompted that a vulnerability check will be done. If the computer is vulnerable, the user will be prompted to install an updated ActiveX Control. Users without power user or administrator privileges on their computer will be prompted to download the OnSite.msi package, which they can run to install the updated ActiveX Control.

Customers who wish to host these pages on their own web server, can request a copy of the html pages from VeriSign Customer Support.

Key Release Date Summary 

 
Technical Support

If you have any questions or concerns, please contact VeriSign Technical Support at: enterprise-pkisupport@verisign.com  or call + 1 650-426-3535 or 1-800-579-2848.

Sincerely,

VeriSign Product Management