Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: More information on ZERT patch for ANI 0day

From: Gadi Evron <ge () linuxbox org>
Date: Mon, 2 Apr 2007 13:10:56 -0500 (CDT)
On Mon, 2 Apr 2007, James (njan) Eaton-Lee wrote:


Gadi Evron wrote:

Although eEye has released a third-party patch that will prevent the
latest exploit from working, it doesn't fix the flawed copy routine. It
simply requires that any cursors loaded must reside within the Windows
directory (typically C:\WINDOWS\ or C:\WINNT\). This approach should
successfully mitigate most "drive-by's," but might be bypassed by an
attacker with access to this directory.


I'm thinking that an attacker with write access to %systemroot% probably 
has juicier, simpler targets to attack (which potentially let them run 
code in a higher security context) than animated cursors.


http://www.milw0rm.com/exploits/3636




  - James.

-- 
   James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org

    "All at sea again / And now my hurricanes
    Have brought down this ocean rain / To bathe me again"

  https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3
-- 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: