[13430] in bugtraq
Re: Microsoft Security Bulletin (MS00-005)
daemon@ATHENA.MIT.EDU (Pauli Ojanpera)
Wed Jan 19 13:35:03 2000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-Id: <20000119100000.29400.qmail@hotmail.com>
Date: Wed, 19 Jan 2000 11:00:00 CET
Reply-To: Pauli Ojanpera <pauli_ojanpera@HOTMAIL.COM>
From: Pauli Ojanpera <pauli_ojanpera@HOTMAIL.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Open letter to microsucks.
>From: Microsoft Product Security <secnotif@MICROSOFT.COM>
>Reply-To: Microsoft Product Security <secnotif@MICROSOFT.COM>
>To: BUGTRAQ@SECURITYFOCUS.COM
>Subject: Microsoft Security Bulletin (MS00-005)
>Date: Mon, 17 Jan 2000 16:49:11 -0800
They failed to mention me!
and btw it is possible to execute arbitrary code by
abusing the fact that one can control ECX also. At
least on Win98.
"This means that an attacker who wanted to run arbitrary code would need to
write a program whose machine language consisted entirely of lower-case
alphanumeric data. Microsoft engineers have thoroughly studied this aspect
of the vulnerability, and we believe that this is not feasible."
So an attacker does just that. Push and pop instructions have
nice opcodes. Check Securityfocus database... I made a file
which when opened by double clicking runs an eternal loop.
Trace that.. Works in Win98 at least. But not limited to.
No warranty. Check it. Use your brain.
If Microsucks wants users to audit their shit they should
at least give the credit to whom the credit is due. Fix
http://www.microsoft.com/security/bulletins/MS00-005faq.asp
credits also.
thanks
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
