[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Insecure call to CreateProcess()/CreateProcessAsUser()
- To: cmorris@xxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Insecure call to CreateProcess()/CreateProcessAsUser()
- From: Paul Szabo <psz@xxxxxxxxxxxxxxxxx>
- Date: Mon, 22 May 2006 07:31:26 +1000
Charles Morris <cmorris@xxxxxxxxxx> wrote:
> ... iexplore.exe calls CreateProcess() [insecurely]. ...
> Microsoft was notified, they told me it was a "non issue" ...
References I have to similar behaviour:
Useless tidbit [MS AntiSpyware, program.exe trick]
http://lists.grok.org.uk/pipermail/full-disclosure/2005-May/033909.html
iDEFENSE Security Advisory 11.15.05:
Multiple Vendor Insecure Call to CreateProcess() Vulnerability
http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038789.html
Window's O/S [IE notepad.exe in Desktop]
http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/039095.html
http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/039109.html
http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/039116.html
Seems that Microsoft recognized and promised to fix this in Antispyware
(now Windows Defender), I do not see why they cannot fix IExplore also.
Cheers,
Paul Szabo psz@xxxxxxxxxxxxxxxxx http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/