More on WMF Exploits
Peter Ferrie from Symantec mentioned on full-disclosure,
The Metasploit version of the exploit illustrates this well; working through the fields, it's apparent that there's no crazy high values being used. Just an (under) documented function.
It's a little snarky, though, to insinuate that "blindly" looking for this is a bad solution, though. It's certainly a lot better than checking file extensions.
Other observation: I still haven't heard "boo" from the major media outlets -- only nerdzines ZDNet and eWeek (and related) have picked up the story. Strange. I guess the constant flood of spyware/adware popups is just normal for most people.
If they're blindly detecting anything that contains the SetAbortProc, then they're detecting the legitimate use of a documented function. It's not a buffer overflow. WMF files since at least Windows 3.0 days have been allowed to carry executable code in the form of their own SetAbortProc handler.
The Metasploit version of the exploit illustrates this well; working through the fields, it's apparent that there's no crazy high values being used. Just an (under) documented function.
It's a little snarky, though, to insinuate that "blindly" looking for this is a bad solution, though. It's certainly a lot better than checking file extensions.
Other observation: I still haven't heard "boo" from the major media outlets -- only nerdzines ZDNet and eWeek (and related) have picked up the story. Strange. I guess the constant flood of spyware/adware popups is just normal for most people.
posted by todb at 2:48 PM
1 Comments:
I still haven't heard "boo" from the major media outlets -- only nerdzines ZDNet and eWeek (and related) have picked up the story.
may be they dont want to make angry MS and lose advertising money
Post a Comment
Links to this post:
Create a Link
<< Home