Administrators should apply the available patches as soon as possible, as this vulnerability can be exploited through many different vectors. The vulnerability cannot be mitigated because shutting down affected services essentially renders the system inoperable. Any subsystem that utilizes the Microsoft crypt32.dll library, and thereby utilizing the msasn1.dll library, is susceptible.
Moderate - There is currently no obvious threat publicly available. However, TruSecure believes that critical network security infrastructure components must be patched immediately in order to ensure the trust placed in them.
High - Microsoft Security Bulletin
MS04-007 addresses two exploit possibilities for a critical vulnerability in all Microsoft platforms that, if exploited, can result in total system compromise. The most significant aspect of the vulnerabilities is that they exist in critical network security infrastructure components, such as authentication, encryption, and certificate handling.
High - Exploitation of this vulnerability can allow the execution of arbitrary code with System privileges. Systems storing sensitive information, such as financial or customer-related data, could be severely impacted.
Exploits are likely to be attempted by a small group of professional attackers who may gain access to exploit code. Attacks are likely to
target high-profile sites, such as banks and other financial institutions. If exploit code becomes publicly available, malicious code and attack tools are likely to surface that enable low-level attackers to attempt exploits.
Exploit code has been released to the public. The code is effective against Windows 2000 Professional and Windows XP SP 1 and results in a DoS condition. While the current code only results in a DoS condition, it is probable that the code will be modified by others to execute arbitrary code.