Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: [ GLSA 200601-09 ] Wine: Windows Metafile SETABORTPROC vulnerability
From: Lionel Ferette <lionel.ferette () belnet be>
Date: Mon, 16 Jan 2006 08:17:31 +0100

In the wise words of Austin Murkland, on Friday 13 January 2006 20:30:
Can anyone else verify Steve Gibson's assertion that this flaw was 
intentionally placed by Microsoft programmers?

From http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx:
"Now, there’s been some speculation that you can only trigger this by using an 
incorrect size in your metafile record and that this trigger was somehow 
intentional.  That speculation is wrong on both counts. The vulnerability can 
be triggered with correct or incorrect size values.  If you are seeing that 
you can only trigger it with an incorrect value, it's probably because your 
SetAbortProc record is the last record in the metafile. The way this 
functionality works is by registering the callback to be called after the 
next metafile record is played. If the SetAbortProc record is the last record 
in the metafile, it will be more difficult to trigger the vulnerability."

No, thus.



P.S.: cross-posting is bad

"To understand how progress failed to make our lives easier,
please press 3"

Lionel Ferette
BELNET CERT Coordinator

Tel: +32 2 7903385                  http://cert.belnet.be/
Fax: +32 2 7903375                  PGP Key Id: 0x5662FD4B

Attachment: _bin

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]