Well I did my patch and I'm giving it away to be modifiable by everyone out there.<br><br>I did it for version 5.1.2600.2622 of user32.dll, English version not sure <br>if that is the last version from M$ (with the way they handle patches you know
<br>you could miss one) anyway in any case I believe there is enough information<br>in the sources if it needs a fix or... not if Microsoft really comes with a patch<br>tomorrow. So far you don't have to be at the mercy of the chinese worm or evil random
<br>cracker. Let me know if is a POS if has bugs etc... Maybe is not needed by tomorrow <br>but was already doing it. So if it helps.. Then great!!<br><br>download binaries here<br><a href="http://aircash.sourceforge.net/micro-distro-src.zip">
http://aircash.sourceforge.net/micro-distro-src.zip</a><br><br>and sources here<br><a href="http://aircash.sourceforge.net/micro-distro-bin.zip">http://aircash.sourceforge.net/micro-distro-bin.zip</a><br><br>just my 2 cents
<br><br>Regards<br>Waldo<br><br><div><span class="gmail_quote">On 4/1/07, <b class="gmail_sendername">Gadi Evron</b> <<a href="mailto:ge@linuxbox.org">ge@linuxbox.org</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi, more information about the patch released April 1st can be found here:<br><br><a href="http://zert.isotf.org/">http://zert.isotf.org/</a><br><br>Including:<br>1. Technical information.<br>2. Why this patch was released when eeye already released a third party
<br>patch.<br><br>The newly discovered zero-day vulnerability in the parsing of animated<br>cursors is very similar to the one previously discovered by eEye that was<br>patched by Microsoft in MS05-002. Basically an "anih" chunk in an animated
<br>cursor RIFF file is read into a stack buffer of a fixed size (36<br>bytes) but the actual memory copy operation uses the length field provided<br>inside the "anih" chunk.giving an attacker an easy route to overflow the
<br>stack and gain control of the execution of the process.<br><br>With the MS05-002 patch, Microsoft added a check for the length of the<br>chunk before copying it to the buffer. However, they neglected to audit<br>the rest of the code for any other instances of the vulnerable copy
<br>routine. As it turns out, if there are two "anih" chunks in the file, the<br>second chunk will be handled by a separate piece of code which Microsoft<br>did not fix. This is what the authors of the zero-day discovered.
<br><br>Although eEye has released a third-party patch that will prevent the<br>latest exploit from working, it doesn't fix the flawed copy routine. It<br>simply requires that any cursors loaded must reside within the Windows
<br>directory (typically C:\WINDOWS\ or C:\WINNT\). This approach should<br>successfully mitigate most "drive-by's," but might be bypassed by an<br>attacker with access to this directory.<br><br>For this reason, ZERT is releasing a patch which addresses the core of the
<br>vulnerability, by ensuring that no more than 36 bytes of an "anih" chunk<br>will be copied to the stack buffer, thus eliminating all potential exploit<br>paths while maintaining compatibility with well-formatted animated cursor
<br>files.<br><br> Gadi.<br><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html
</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><br></blockquote></div><br>