mailing list archives
Re: Re: [ GLSA 200601-09 ] Wine: Windows Metafile SETABORTPROC vulnerability
From: Lionel Ferette <lionel.ferette () belnet be>
Date: Mon, 16 Jan 2006 08:17:31 +0100
In the wise words of Austin Murkland, on Friday 13 January 2006 20:30:
Can anyone else verify Steve Gibson's assertion that this flaw was
intentionally placed by Microsoft programmers?
"Now, there’s been some speculation that you can only trigger this by using an
incorrect size in your metafile record and that this trigger was somehow
intentional. That speculation is wrong on both counts. The vulnerability can
be triggered with correct or incorrect size values. If you are seeing that
you can only trigger it with an incorrect value, it's probably because your
SetAbortProc record is the last record in the metafile. The way this
functionality works is by registering the callback to be called after the
next metafile record is played. If the SetAbortProc record is the last record
in the metafile, it will be more difficult to trigger the vulnerability."
P.S.: cross-posting is bad
"To understand how progress failed to make our lives easier,
please press 3"
BELNET CERT Coordinator
Tel: +32 2 7903385 http://cert.belnet.be/
Fax: +32 2 7903375 PGP Key Id: 0x5662FD4B
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/