[VIM] ZDI-10-016: Microsoft Windows ShellExecute Improper Sanitization Code Execution Vulnerability
ZDI Disclosures
zdi-disclosures at tippingpoint.com
Wed Feb 10 18:50:14 UTC 2010
Jericho,
The crux of this issue was never fully identified on our behalf, we simply tracked it down to the point that we knew it was reachable from ShellExecute(). We're not entirely sure why Microsoft chose to split the patch across two months but we were told by them to wait until this month to release our advisory. The issue can be triggered from a variety of vectors, the most interesting to an attacker being MSIE. It is NOT however only exposed through IE. We just updated the web advisory to reflect all affected operating systems which in addition to XP include 2000 and 2003. We suspect that Microsoft first addressed the IE vector last month and the actual bug this month. Hope that helps.
Kate
-----Original Message-----
From: security curmudgeon [mailto:jericho at attrition.org]
Sent: Wednesday, February 10, 2010 2:53 AM
To: ZDI Disclosures
Cc: vim at attrition.org
Subject: Re: ZDI-10-016: Microsoft Windows ShellExecute Improper Sanitization Code Execution Vulnerability
On Tue, 9 Feb 2010, ZDI Disclosures wrote:
: ZDI-10-016: Microsoft Windows ShellExecute Improper Sanitization Code Execution Vulnerability
: http://www.zerodayinitiative.com/advisories/ZDI-10-016
: February 9, 2010
:
: -- CVE ID:
: CVE-2010-0027
:
: -- Affected Products:
: Microsoft Windows XP
:
: -- Vendor Response:
: Microsoft has issued an update to correct this vulnerability. More
: details can be found at:
:
: http://www.microsoft.com/technet/security/bulletin/MS10-007.mspx
:
: -- Disclosure Timeline:
: 2009-07-20 - Vulnerability reported to vendor
: 2010-02-09 - Coordinated public release of advisory
This CVE crosses with MS10-002 / 978207, tracked by OSVDB 61909 "Microsoft IE Unspecified Crafted URL Handling Arbitrary Code Execution". Per previous disclosure, this was reported to MS on 2009-11-15.
Your advisory says this affects Windows XP, not MSIE specifically, and crosses to MS10-007.
Can you clarify please?
More information about the VIM
mailing list