Full Disclosure mailing list archives
Re: More information on ZERT patch for ANI 0day
From: "Matthew Murphy" <mattmurphy () kc rr com>
Date: Tue, 3 Apr 2007 10:32:31 -0700
On 4/3/07, Stefan Kelm <stefan.kelm () secorvo de> wrote:
Has anyone actually checked what this patch does? Who are ZERT and
ISOTF respectively ("About ISOTF" at http://www.isotf.org/?page_value=0
says a lot...)?
...or is this an April Fool's joke?
The patch is 100% real and it is effective. I've seen it in action on testbeds. I can't claim to be an unbiased observer, as I helped some with the actual engineering process. There's a list of team members available: http://www.isotf.org/zert/members.htm ZERT includes a handful of the industry's most talented reverse engineering experts. You will know many of them if you follow security news regularly, and some of them whose names may not be familiar to you (like Michael Ligh and Gil Dabah) are nonetheless, master craftsmen of the trade we call security engineering. If I were running a security department, I'd hire them. You don't have to listen to me, though. For the cynics out there who are as comfortable vetting code yourself as listening to me (nothing wrong with that, either), there's source code in the downloadable ZIP. The code is missing for two components: 1. The patch ships the Microsoft Layer for Unicode (MSLU) in Unicows.dll which enables us to support platforms (Windows 95/98/Me) which are no longer officially supported by Microsoft. You can replace that DLL with your own copy of the MSLU library if you're concerned about its origins -- it hasn't been modified at all. 2. The patch sources static link to Gil Dabah's distorm disassembler library (distorm.lib) as well. That library is used to identify the vulnerable code within the affected DLL. You can build your own of that, from source, if you wish: http://www.ragestorm.net/distorm/ Don't worry... the patch doesn't bite. In either sense of the word. Regards, Matt Murphy _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: More information on ZERT patch for ANI 0day, (continued)
- Re: More information on ZERT patch for ANI 0day James (njan) Eaton-Lee (Apr 02)
- Re: More information on ZERT patch for ANI 0day Gadi Evron (Apr 02)
- Re: More information on ZERT patch for ANI 0day James (njan) Eaton-Lee (Apr 02)
- Re: More information on ZERT patch for ANI 0day Gadi Evron (Apr 02)
- Re: More information on ZERT patch for ANI 0day James (njan) Eaton-Lee (Apr 02)
- Re: More information on ZERT patch for ANI 0day Gadi Evron (Apr 02)
- Re: More information on ZERT patch for ANI 0day James (njan) Eaton-Lee (Apr 02)
- Re: More information on ZERT patch for ANI 0day Gadi Evron (Apr 02)
- Re: More information on ZERT patch for ANI 0day Gadi Evron (Apr 02)
- Re: More information on ZERT patch for ANI 0day James (njan) Eaton-Lee (Apr 02)
- Re: More information on ZERT patch for ANI 0day Matthew Murphy (Apr 03)
- Re: More information on ZERT patch for ANI 0day Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Apr 03)
- Re: More information on ZERT patch for ANI 0day Jason Frisvold (Apr 04)
- Re: More information on ZERT patch for ANI 0day Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Apr 03)
- Re: More information on ZERT patch for ANI 0day Jason Frisvold (Apr 04)