lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <OF2FC4C12B.22D52384-ON86256F12.006FFBC7-86256F12.0070F784@fnal.gov>
From: jklemenc at fnal.gov (jklemenc@...l.gov)
Subject: Re: Windows XP JPEG Buffer Overflow

Why is it that the GDI+ dll was fixed for PictureIT back it February '04? 
If you pull down all the patches, the PictureIT patches date to 02/26/04 
and the XP SP1 patch dates to 03/02/04? Then add to it XPSP2 is already 
patched. Did MS sit on this patch until there was an exploit available in 
the wild (or at least POC)? 

<SPECULATION>
My take on this is that someone was either writing their own JPG editor 
-OR- was using some 3rd party image editor and was adding comments to the 
image file. Their action of writing the comments field incorrectly (with 
an unprintable character at the start of the comment) either via their 
custom application -OR- via some 3rd party app triggered an application 
crash when viewing with PictureIT (or maybe PictureIT was the software 
used to create the comments). This was probably reported to MS as a 
PictureIT bug, which was patched in PictureIT. It was probably ported to 
the other GDI+ applications/OS's, but never rolled out (probably waiting 
to be rolled silently into a service pack as it was with XPSP2). Once POC 
code got out, they had to pull the trigger on releasing a patch. That 
would account for the numerous duplicate patches listed in the KB article. 
It you look, the gdiplus.dll is the same size/date/version for Office 
2003, Visio 2003 & Project 2003, as are others in like groups, except 
there are seperate downloads for each. This seems to indicate that the 
offending file was fixed a while back, but was sitting dormant for each 
product until an update was issued seperately. MS could have easily rolled 
up like patchsets to detect and update all of their products, such as in 
the past.
</SPECULATION>

How many other patches are in this state that will only be released once 
someone goes public with POC code?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ