IEBUG: Archives of Internet Explorer

To: BugTraq at SECURITYFOCUS <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: IEBUG: Archives of Internet Explorer
From: Liu Die Yu <liudieyuinchina@xxxxxxxxxxxx>
Date: Tue, 25 May 2004 19:56:53 -0700 (PDT)
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

IEBUG: Archives of Internet Explorer
====================================

hi, everyone. i have created a website containing all bugtraq&fd&ms messages 
related to security
issues of:
internet explorer, outlook, windows media player and java virtual machine
since 2000.
it's created and updated by a small piece of php script - updated 3 times per 
day.

RIGHT HERE:
http://iebug.com/
OR
http://umbrella.name/iebug.com/display-homepage.php

while reading the messages, i found there is something unclear about some past 
issues:
-----
Vulnerability in Authenticode Verification Could Allow Remote Code Execution 
(823182)
http://umbrella.name/iebug.com/display-singlemessage.php?readmsg:mssec_message-20030041
-----
Bugtraq: Flooding Internet Explorer 6.0.2800 (6.x?) security zones ! [CRITICAL]
http://umbrella.name/iebug.com/display-singlemessage.php?readmsg:bugtraq_message-2003050101
-----
Bugtraq: Flooding Internet Explorer 6.0.2800 (6.x?) security zones ! - UPDATED
http://umbrella.name/iebug.com/display-singlemessage.php?readmsg:bugtraq_message-2003050157
-----
Bugtraq: Re: Flooding Internet Explorer 6.0.2800 (6.x?) security zones ! - 
UPDATED
http://umbrella.name/iebug.com/display-singlemessage.php?readmsg:bugtraq_message-2003050179
-----

i put these old messages here because the problem was not explained well, and 
most importantly,
other modules may also be 

vulnerable.


check all messages above and then read on.

consider the following C code:

-----
[read_program_details]
if(showComfirmationDialog()==USER_PRESSED_CANCEL)
        return FALSE;
[install_program]
-----

anything wrong with the above code?

the Windows OS can only create a limited number of window objects.
what will happen if the number of existing windows already reached the limit?

showComfirmationDialog() will return some error code instead of 
USER_PRESSED_CANCEL, and
[install_program] will get 

executed.

btw, "writing secure code"
http://www.microsoft.com/mspress/books/5957.asp
covered a similar case(in that case, it's memory instead of window objects.)
that book helped me think on the bug.

i was believing ms at that time. i read those bugtraq messages and reported the 
authenticode
dialog bug to ms in 1 week. the 

authenticode dialog bug was harder to reproduce. the download dialog bug AND 
the authenticode
dialog bug have nothing to do 

"security zone","download request", "low memory", etc. you can use NOTEPAD 
windows(the
"view-source" protocol) to do the 

same thing.



        
                
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/

Prev by Date: [security bulletin] SSRT4719 hp OpenView Select Access remote unauthorized access
Next by Date: [ GLSA 200405-21 ] Midnight Commander: Multiple vulnerabilities
Previous by thread: [security bulletin] SSRT4719 hp OpenView Select Access remote unauthorized access
Next by thread: [ GLSA 200405-21 ] Midnight Commander: Multiple vulnerabilities
Index(es):
- Date
- Thread