Full Disclosure mailing list archives
Re: Defense in depth -- the Microsoft way (part 9): erroneous documentation
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Mon, 2 Sep 2013 10:53:05 +0200
I am truly shocked that seemingly, stuff like this needs to be said in the year of 2013.
Completely right!
I'd have supposed that things like these should be known by *anyone* doing anything even remotely similar to software development *at least* since the end of the 8.3 filename era 15 years ago.
Again: completely right!
Are you sure this is real and not a prank? o_O
This is real: see <https://support.microsoft.com/kb/2781197> alias <http://technet.microsoft.com/security/bulletin/ms13-034> or <http://seclists.org/fulldisclosure/2013/May/10> for exactly this "stuff". And dont forget to read <http://seclists.org/fulldisclosure/2013/Aug/75> as well as <http://seclists.org/fulldisclosure/2013/May/14> Also see <https://bugzilla.mozilla.org/show_bug.cgi?id=871084>, <https://bugzilla.mozilla.org/show_bug.cgi?id=786407> and <https://bugzilla.mozilla.org/show_bug.cgi?id=868746> and notice especially how a Mozilla developer tries to weazel and ignore <http://msdn.microsoft.com/ibrary/ms997548.aspx>! JFTR: Windows is the ONLY system that covers such silly beginners errors due to the documented idiosyncrasy of CreateProcess() (see <http://msdn.microsoft.com/library/ms682425.aspx). Finally take a look at the registry subkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] of your own Windows installation (if you have one): you'll most probably find unquoted pathnames in "UninstallString", for example: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SumatraPDF] "UninstallString"="C:\\Program Files\\SumatraPDF\\uninstall.exe" regards Stefan
regards Pascal Ernster
[ fullquote removed ] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Defense in depth -- the Microsoft way (part 9): erroneous documentation Stefan Kanthak (Sep 02)
- list of vulnerabilities discovered by realpentesting Pedro Guillen (Sep 02)
- Re: list of vulnerabilities discovered by realpentesting Źmicier Januszkiewicz (Sep 02)
- Re: list of vulnerabilities discovered by realpentesting Mgr . Martin Žember (Sep 02)
- Re: list of vulnerabilities discovered by realpentesting Pedro Guillen (Sep 03)
- Re: list of vulnerabilities discovered by realpentesting Źmicier Januszkiewicz (Sep 02)
- list of vulnerabilities discovered by realpentesting Pedro Guillen (Sep 02)