If at first you don't succeed; call it version 1.0
Friday, January 06, 2006

As the great Israeli comedians group, "Hagashash Hachiver", was known to say: "So... What did we have so far?"

One critical vulnerability in Windows' Graphics Rendering Engine. Over 200 known viruses exploiting this vulnerability. At least 3 "generations" of the Metasploit Proof-of-Concept code. Two third-party unofficial patches. One leaked "beta" patch, and one official patch, released 5 days earlier.
And all this in a week or so. Wow! What a great opening for 2006.

According to the Microsoft's security bulletin, and some other sources (haven't bindiff it myself yet...), the patch only forbids the Escape's code execution functionality, if it was called by the WMF rendering engine. But, is it enough?

A quick scan through my %windir%\system32 shows that over 20 DLL files are importing the problematic Escape function.

A better solution by Microsoft would be to forbid the SetAbortProc functionality, as they probably already did in the 64bit version of Windows XP.

I can only hope that they'll provide a better fix, before someone else exploits this design flaw.


Friday, January 06, 2006 6:35:19 PM UTC | Comments [0] | Security#
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.