CVE-2010-2566

Name of the Vulnerable Software and Affected Versions Microsoft Windows XP SP2 and SP3 Microsoft Windows Server 2003 SP2

Description The issue arises from the improper validation of certificate request messages from TLS and SSL servers by the Secure Channel (SChannel) security package. This allows remote servers to execute arbitrary code via a crafted SSL response. A remote code execution vulnerability exists in the way SChannel on a client machine validates a certificate request message sent by the server. An attacker could host a specially crafted Web site designed to exploit this vulnerability through an Internet Web browser, but would need to convince a user to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message.

Recommendations For Microsoft Windows XP SP2 and SP3, consider disabling the SChannel security package temporarily until a patch is available. For Microsoft Windows Server 2003 SP2, restrict access to the SChannel security package to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.