CVE-2008-3068

Name of the Vulnerable Software and Affected Versions: Microsoft Crypto API versions 5.131.2600.2180 through 6.0

Description: The issue allows remote attackers to obtain reading times and IP addresses of recipients, and port-scan results, by using a crafted certificate with an Authority Information Access (AIA) extension in a S/MIME e-mail message or signed document. This is due to the Microsoft Crypto API performing Certificate Revocation List (CRL) checks by using an arbitrary URL from a certificate.

Recommendations: For Microsoft Crypto API versions 5.131.2600.2180 through 6.0, consider restricting access to the Authority Information Access (AIA) extension to minimize the risk of exploitation. As a temporary workaround, avoid using the AIA extension in certificates until a patch is available.