funsec mailing list archives
Re: exploiting MS08-021
From: "Larry Seltzer" <larry () larryseltzer com>
Date: Mon, 14 Apr 2008 19:18:24 -0400
The current version of the advisory is 1.2 and includes (in the Workarounds section) instructions for a registry hack that turns off all metafile processing. It's not clear how much this affects real world use. Probably depends on your software and devices. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine larry.seltzer () ziffdavisenterprise com ________________________________ From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Richard M. Smith Sent: Monday, April 14, 2008 6:28 PM To: funsec () linuxbox org Subject: Re: [funsec] exploiting MS08-021 I don't know the answer to your question, but I've asked the Microsoft security folks for some way to turn off automatically opening WMF files in IE. I made my query 3 or 4 WMF bugs ago, but got no reply. Here's my new question: Can WMF images and auto-executing exploit code be embedded in Word, Excel, and PowerPoint files? Richard From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Larry Seltzer Sent: Monday, April 14, 2008 5:34 PM To: funsec () linuxbox org Subject: [funsec] exploiting MS08-021 There's exploit code out (http://www.milw0rm.com/exploits/5442) for MS08-021 (http://www.microsoft.com/technet/security/Bulletin/MS08-021.mspx) which describes GDI buffer overflows in the loading of EMF and WMF files. There were other big problems in years past in the loading of these files. Can anyone recall if the defaults for IE were changed with respect to loading these files, perhaps from an IFRAME? Thanks. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine larry.seltzer () ziffdavisenterprise com
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- exploiting MS08-021 Larry Seltzer (Apr 14)
- Re: exploiting MS08-021 Richard M. Smith (Apr 14)
- Re: exploiting MS08-021 Larry Seltzer (Apr 14)
- Re: exploiting MS08-021 Eric Sites (Apr 14)
- Re: exploiting MS08-021 Florian Weimer (Apr 15)
- Re: exploiting MS08-021 Larry Seltzer (Apr 14)
- <Possible follow-ups>
- Re: exploiting MS08-021 Larry Seltzer (Apr 14)
- Re: exploiting MS08-021 Paul Ferguson (Apr 14)
- Re: exploiting MS08-021 RandallMan (Apr 14)
- Re: exploiting MS08-021 Richard M. Smith (Apr 14)