TUCoPS :: Browsers :: hack2180.htm

TUCoPS :: Browsers :: hack2180.htm
IEBUG: Archives of Internet Explorer

IEBUG: Archives of Internet Explorer IEBUG: Archives of Internet Explorer ==================================== hi, everyone. i have created a website containing all bugtraq&fd&ms messages related to security issues of: internet explorer, outlook, windows media player and java virtual machine since 2000. it's created and updated by a small piece of php script - updated 3 times per day. RIGHT HERE: http://iebug.com/ OR http://umbrella.name/iebug.com/display-homepage.php while reading the messages, i found there is something unclear about some past issues: ----- Vulnerability in Authenticode Verification Could Allow Remote Code Execution (823182) http://umbrella.name/iebug.com/display-singlemessage.php?readms g:mssec_message-20030041 ----- Bugtraq: Flooding Internet Explorer 6.0.2800 (6.x?) security zones ! [CRITICAL] http://umbrella.name/iebug.com/display-singlemessage.php?readms g:bugtraq_message-2003050101 ----- Bugtraq: Flooding Internet Explorer 6.0.2800 (6.x?) security zones ! - UPDATED http://umbrella.name/iebug.com/display-singlemessage.php?readms g:bugtraq_message-2003050157 ----- Bugtraq: Re: Flooding Internet Explorer 6.0.2800 (6.x?) security zones ! - UPDATED http://umbrella.name/iebug.com/display-singlemessage.php?readms g:bugtraq_message-2003050179 ----- i put these old messages here because the problem was not explained well, and most importantly, other modules may also be vulnerable. check all messages above and then read on. consider the following C code: ----- [read_program_details] if(showComfirmationDialog()==USER_PRESSED_CANCEL) return FALSE; [install_program] ----- anything wrong with the above code? the Windows OS can only create a limited number of window objects. what will happen if the number of existing windows already reached the limit? showComfirmationDialog() will return some error code instead of USER_PRESSED_CANCEL, and [install_program] will get executed. btw, "writing secure code" http://www.microsoft.com/mspress/books/5957.asp covered a similar case(in that case, it's memory instead of window objects.) that book helped me think on the bug. i was believing ms at that time. i read those bugtraq messages and reported the authenticode dialog bug to ms in 1 week. the authenticode dialog bug was harder to reproduce. the download dialog bug AND the authenticode dialog bug have nothing to do "security zone","download request", "low memory", etc. you can use NOTEPAD windows(the "view-source" protocol) to do the same thing. __________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/