| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200605212131.k4LLVQZv024970@asti.maths.usyd.edu.au> Date: Sun May 21 22:31:46 2006 From: psz at maths.usyd.edu.au (Paul Szabo) Subject: Insecure call to CreateProcess()/CreateProcessAsUser() Charles Morris <cmorris@...odu.edu> wrote: > ... iexplore.exe calls CreateProcess() [insecurely]. ... > Microsoft was notified, they told me it was a "non issue" ... References I have to similar behaviour: Useless tidbit [MS AntiSpyware, program.exe trick] http://lists.grok.org.uk/pipermail/full-disclosure/2005-May/033909.html iDEFENSE Security Advisory 11.15.05: Multiple Vendor Insecure Call to CreateProcess() Vulnerability http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038789.html Window's O/S [IE notepad.exe in Desktop] http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/039095.html http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/039109.html http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/039116.html Seems that Microsoft recognized and promised to fix this in Antispyware (now Windows Defender), I do not see why they cannot fix IExplore also. Cheers, Paul Szabo psz@...hs.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia
Powered by blists - more mailing lists