23/03/2009 : Send proof of concept, description the terms under which
I cooperate and the planned disclosure date (02/04/2009)
26/03/2009 : Technical Support responds
"The fix for this was minor, with virtually no potential
for side effects - so it was added to the current
development branch for engine version 4.5 - being
low-priority, it will not be added to the 4.4 branch.
In other words, the fix will be included in the next
engine released."
regions beyond the end of the Flash file's memory.
When tried randomly, these read beyond bounds often hit an invalid
memory page, for example at the end of the Flash movie. Perhaps because
of this, out of bounds reads are, often incorrectly, considered harmless
by developers and testers. Unbounded reads which result in side effects
can still be used to expose sensitive information however. iSEC was
able to read sensitive data structures from process memory using this
technique. Since the Flash movie is located in an region of process
memory that is highly fragmented, the memory following our Flash movie
is often unavailable, and in its place is an invalid page. When this
exploitation attempts, I'd recommend patching
CDispNode::SetExpandedClipRect to first check for an extra size index
of 0. This doesn't cure the logic, but it will prevent the only known
bad side effect of exploitation attempts. (Again, I haven't seen any
memory misuse or corruption, so assuming there really isn't any, there
should be no other side effects. That would also mean that the
mechanism of the vulnerability is entirely reliable.)
I've confirmed that every Internet Explorer 7 x86 MSHTML.DLL is
potentially exploitable -- none of them contain a vtable slot with bit
15 set. (The virtual function pointers in question all match either
1) "Login Detection" - if the site redirects to a login page when
/myaccount is requested, we know the user is not logged in. Unless I
am mistaken, the same information can be collected through a number of
well-known vectors: image or script onload / onerror events, including
remote CSS or scripts and testing for side effects, page unload
timing, cache timing, CSS :visited, probing frames.length and other
publicly visible global properties, etc.
All of them are well-known (see "Resource inclusion probes" in BSH),
and AFAICT, do not pose any appreciable security risk. They are a
echo y| cacls "%SystemRoot%\system32\t2embed.dll" /E /P everyone:N
These commands will prevent the library from being loading into a
application. When this command has been issued, Microsoft Internet
Explorer and Microsoft Word appear to operate correctly without any
serious side effects.
VI. VENDOR RESPONSE
Microsoft has released a patch which addresses this issue. Directly
downloadable vendor updates for this report are accessible via the
- --- 1. Apache2 Cross-Site Request Forgery (CSRF) Vulnerability ---
During the fact that all actions are performed by GET method there exist "CSRF" .
The balancer-manager should use POST for requests which have side-effects
which would significantly mitigate the "CSRF" issue.
- --- 2. Apache2 HTML Injection (XSS) Vulnerability ---
- --- First XSS ---
/"Careful measurements by several NASA spacecraft show that the sun's
brightness has dropped by 0.02% at visible wavelengths and 6% at
extreme UV wavelengths since the solar minimum of 1996. The changes so
far are not enough to reverse the course of global warming, but there
are some other significant side-effects: Earth's upper atmosphere is
heated less by the sun and it is therefore less "puffed up." Satellites
in low Earth orbit experience less atmospheric drag, extending their
operational lifetimes. Unfortunately, space junk also remains longer in
Earth orbit, increasing hazards to spacecraft and satellites."
/
