<<< Date Index >>>     <<< Thread Index >>>

Technical Paper on the ZERT Patch and VML [was: Re: ZERT patch for setSlice()]



> So how is this a patch when you are simply automating a simple work
> around?
> 
> If this can be called a patch then we should be able to say that
> Microsoft released a patch in their bulletin on this issue where they
> describe exactly how to set the killbit.
> 
> A *real* patch would actually address the vulnerable code.

Our (ZERT's) VML patch was what you refer to as "real". There was space
issue with not enough bytes to play with, so Gil Dabah, one of our
members, re-wrote the vulnerable function in Yasm, compiled it, and
hard-coded the compiled code into the binary, with room to spare, saving
functionality. Code crunching is back in style. :)

You can read about the vulnerability, the patch and the Microsoft patch
here (technical + ASM and C code):

http://zert.isotf.org/papers/vml-details-20060928.pdf

As to the setSlice() patch... an alternative does not necessarily mean
intrusive. A patch for the setSlice() vulnerability was already provided
by Determina which was very nice and very professional. It used some
ideas we developed ourselves - we liked it - it was a very efficient
patch.
It came out as commercial, though. We release our work under GPL
and Creative Commons with full source code available.

In this incident (ZERT2006-02) We provided with an automation of the
workaround, to make it simple for users and organizations which are
interested, and for whom a third party patch is too risky for various
reasons ranging from support to liability, to protect themselves.

As an example, Network admins can easily use the console version of
ZProtector to run in the login script of a domain. ZProtector is not a
patch per se, it is an automated kill bit software which gets updated as
new unpatched vulnerabilities and 0days are disclosed/discovered/reported.

For more information, you can visit the Zeroday Emergency Response Team
web site at: http://isotf.org/zert/

IMPORTANT: third party patches should always be considered a last resort,
and used only if the other solutions, if such exist, are not good for
you. I like the idea of having an alternative.

ZERT withdrew its VML patch as soon as Micorosft released the official
patch. They did really good work on it. Kudos to the guys at MSRC.

Thanks,

        Gadi.