[Full-disclosure] Re: [ GLSA 200601-09 ] Wine: Windows Metafile SETABORTPROC vulnerability
Lionel Ferette
lionel.ferette at belnet.be
Mon Jan 16 07:17:31 GMT 2006
In the wise words of Austin Murkland, on Friday 13 January 2006 20:30:
> Can anyone else verify Steve Gibson's assertion that this flaw was
> intentionally placed by Microsoft programmers?
>
> http://www.grc.com/sn/SN-022.htm
From http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx:
"Now, there’s been some speculation that you can only trigger this by using an
incorrect size in your metafile record and that this trigger was somehow
intentional. That speculation is wrong on both counts. The vulnerability can
be triggered with correct or incorrect size values. If you are seeing that
you can only trigger it with an incorrect value, it's probably because your
SetAbortProc record is the last record in the metafile. The way this
functionality works is by registering the callback to be called after the
next metafile record is played. If the SetAbortProc record is the last record
in the metafile, it will be more difficult to trigger the vulnerability."
No, thus.
HTH,
Lionel
P.S.: cross-posting is bad
--
"To understand how progress failed to make our lives easier,
please press 3"
Lionel Ferette
BELNET CERT Coordinator
Tel: +32 2 7903385 http://cert.belnet.be/
Fax: +32 2 7903375 PGP Key Id: 0x5662FD4B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060116/fe4a8f9f/attachment.bin
Full-Disclosure is hosted and sponsored by Secunia.