Threat Level: green Handler on Duty: Brad Duncan

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Technical document on WMF vulnerability and Guilfanov's patch available

Published: 2006-01-05
Last Updated: 2006-01-05 21:45:49 UTC
by Tom Liston (Version: 1)
0 comment(s)
I've written a technical document describing what is going on "behind-the-scenes" to cause the current WMF SETABORTPROC vulnerability and how Ilfak Guilfanov's patch worked to mitigate it.  Included are both annotations to the patch's source code and an annotated disassembly of the patch itself. 

Interestingly, reading Microsoft's description of their patch:

Specifically, the change introduced to address this vulnerability removes the support for the SETABORTPROC record type from the META_ESCAPE record in a WMF image. This update does not remove support for ABORTPROC functions registered by application SetAbortProc() API calls.

it appears that they ended up doing the same thing that Guilfanov's patch did (but where Guilfanov' had to jump though .dll injection hoops, they could just change the source code and recompile GDI32.DLL...).

The document can be found here.
Keywords:
0 comment(s)
Diary Archives