Linked by Thom Holwerda on Wed 4th Jan 2006 22:45 UTC
Windows The saga around the WMF flaw in Windows continues. "A cryptographically signed version of Microsoft's patch for the Windows Metafile vulnerability accidentally leaked onto the Internet late Tuesday, adding a new wrinkle to the company's round-the-clock efforts to stop the flow of malicious exploits. The MSRC (Microsoft Security Response Center) acknowledged that a slip-up caused 'a fast-track, pre-release version of the update' to be posted to a security community site and urged users to 'disregard' the premature update."
Thread beginning with comment 81998
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: ...
by Marcellus on Thu 5th Jan 2006 07:14 UTC in reply to "RE: ..."
Marcellus
Member since:
2005-08-26

How much can any patch possibly screw up an image format handler???

Has it occurred to you that it's not only the image format handler that is being patched?

AFAIK, this was simply an attack vector that was vulnerable, but fixing the handler itself won't remove the underlying problems.

Reply Parent Score: 1

RE[3]: ...
by Nathan O. on Thu 5th Jan 2006 16:08 in reply to "RE[2]: ..."
Nathan O. Member since:
2005-08-11

It occurred to me, yes, but can anyone give me an example of such a thing happening in a properly designed library?

I'm asking seriously. I'm in school for this sort of thing right now, and I'd like to know. I'll have to look up the details of the vulnerability now.

Reply Parent Score: 1

RE[3]: ...
by Nathan O. on Thu 5th Jan 2006 16:44 in reply to "RE[2]: ..."
Nathan O. Member since:
2005-08-11

I looked this thing up on Symantec's web site (let me know if they aren't as reputable as I think), and it seems there are two reports of WMF bugs. The first was reported 11-08-05 and allows execution of arbitrary code as SYSTEM user (totally unlimited root, IIRC), and the second, dated 12-28-05, is the same, except code is run as the user viewing the file.

In both cases, it seems to be completely confined to this one library (the former is an integer overflow, the second is less descriptive, citing a single function in the library).

I still don't understand why it has to be so thoroughly tested in so many languages. I'm guessing the November buffer overflow was fixed quickly. I definitely understand, though, that the more recent one is something I understand less.

Reply Parent Score: 1