Re: [Full-disclosure] More information on ZERT patch for ANI 0day



On Mon, 2 Apr 2007, James (njan) Eaton-Lee wrote:

Gadi Evron wrote:
Although eEye has released a third-party patch that will prevent the
latest exploit from working, it doesn't fix the flawed copy routine. It
simply requires that any cursors loaded must reside within the Windows
directory (typically C:\WINDOWS\ or C:\WINNT\). This approach should
successfully mitigate most "drive-by's," but might be bypassed by an
attacker with access to this directory.

I'm thinking that an attacker with write access to %systemroot% probably
has juicier, simpler targets to attack (which potentially let them run
code in a higher security context) than animated cursors.

http://www.milw0rm.com/exploits/3636



- James.

--
James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org

"All at sea again / And now my hurricanes
Have brought down this ocean rain / To bathe me again"

https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3
--


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • security patches
    ... >of "updates" that claim to fix a problem with a program ... many downloads claim to fix a security ... >problem where "an attacker" can gain control of your ... >Microsoft updates and not "the attacker" gaining control ...
    (microsoft.public.windowsxp.security_admin)
  • Re: [Full-disclosure] SSH brute force blocking tool
    ... TO> J, you have made an attempt to fix it, but is is not sufficient. ... TO> An attacker can still add arbitrary hosts to the deny list. ... I wouldnt use a shell script to do so, but I suppose you could use lastb ...
    (Full-Disclosure)
  • Re: [Full-disclosure] More information on ZERT patch for ANI 0day
    ... it doesn't fix the flawed copy routine. ... simply requires that any cursors loaded must reside within the Windows ... I'm thinking that an attacker with write access to %systemroot% probably has juicier, simpler targets to attack than animated cursors. ...
    (Full-Disclosure)
  • security patches
    ... of "updates" that claim to fix a problem with a program ... problem where "an attacker" can gain control of your ... Microsoft updates and not "the attacker" gaining control ...
    (microsoft.public.windowsxp.security_admin)
  • security patches
    ... >of "updates" that claim to fix a problem with a program ... >problem where "an attacker" can gain control of your ... >Microsoft updates and not "the attacker" gaining control ...
    (microsoft.public.windowsxp.security_admin)