Bugtraq mailing list archives

Re: Third-party patch for CVE-2007-3896, UPDATE NOW

From: "KJK::Hyperion" <hackbunny () s0ftpj org>
Date: Wed, 17 Oct 2007 14:16:21 +0200

KJK::Hyperion ha scritto:

The present patch is dramatically under-tested and it has underwent no
quality assurance procedure whatsoever, so please deploy with the
greatest care.


Indeed, I just found a gruesome memory leak in it. A silly bug, brown
paperbag-grade shame. If you installed my patch, upgrade RIGHT THIS
MOMENT NOW or slowly die:

<http://spacebunny.xepher.net/hack/shellexecutefiasco/>

For the press guys watching: THIS IS VERY IMPORTANT, more important than
the original patch was. I don't expect "shitty patch actually shitty" to
seriously make the big headlines, but, hey, a heads up: there is a good
reason Microsoft takes a lot of time to put patches out, after all. I
don't do this for the reputation, either: I already made a U-turn on my
feelings about the vulnerability, I'm not too proud to admit my mistakes
(god knows how big the egos can get in FD)

Current thread:

Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype, (continued)
- - - Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype KJK::Hyperion (Oct 09)
    - Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Thierry Zoller (Oct 11)
    - Re[3]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype 3APA3A (Oct 09)
    - Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Geo. (Oct 09)
    - Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Thierry Zoller (Oct 09)
    - Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Geo. (Oct 09)
    - Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Valdis . Kletnieks (Oct 09)
    - Message not available
    - Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype gjgowey (Oct 09)
    - Message not available
    - Fwd: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype merigoth (Oct 11)
    - Message not available
    - Third-party patch for CVE-2007-3896 (Internet Explorer 7 invalid URI handling) available KJK::Hyperion (Oct 15)
    - Re: Third-party patch for CVE-2007-3896, UPDATE NOW KJK::Hyperion (Oct 17)
    - Re: URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Thierry Zoller (Oct 11)
    - RE: Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Roger A. Grimes (Oct 09)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Andreas Lindenblatt (Oct 09)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Andreas Lindenblatt (Oct 09)
- RE: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Juergen Schmidt (Oct 06)
- Re[2]: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Thierry Zoller (Oct 06)
  - Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Morning Wood (Oct 09)
- RE: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Jim Slora (Oct 09)