Full Disclosure mailing list archives
Re: Insecure call to CreateProcess()/CreateProcessAsUser()
From: Paul Szabo <psz () maths usyd edu au>
Date: Mon, 22 May 2006 07:31:26 +1000
Charles Morris <cmorris () cs odu edu> wrote:
... iexplore.exe calls CreateProcess() [insecurely]. ... Microsoft was notified, they told me it was a "non issue" ...
References I have to similar behaviour: Useless tidbit [MS AntiSpyware, program.exe trick] http://lists.grok.org.uk/pipermail/full-disclosure/2005-May/033909.html iDEFENSE Security Advisory 11.15.05: Multiple Vendor Insecure Call to CreateProcess() Vulnerability http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038789.html Window's O/S [IE notepad.exe in Desktop] http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/039095.html http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/039109.html http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/039116.html Seems that Microsoft recognized and promised to fix this in Antispyware (now Windows Defender), I do not see why they cannot fix IExplore also. Cheers, Paul Szabo psz () maths usyd edu au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Insecure call to CreateProcess()/CreateProcessAsUser() Charles Morris (May 21)
- Re: Insecure call to CreateProcess()/CreateProcessAsUser() Andres Tarasco (May 21)
- Re: Insecure call to CreateProcess()/CreateProcessAsUser() Charles Morris (May 21)
- Re: Insecure call to CreateProcess()/CreateProcessAsUser() Andres Tarasco (May 21)
- Re[2]: Insecure call to CreateProcess()/CreateProcessAsUser() Thierry Zoller (May 21)
- Re: Insecure call to CreateProcess()/CreateProcessAsUser() Charles Morris (May 21)
- Re: Insecure call to CreateProcess()/CreateProcessAsUser() Andres Tarasco (May 21)
- Re: Insecure call to CreateProcess()/CreateProcessAsUser() Paul Szabo (May 21)