Re: [Full-disclosure] More information on ZERT patch for ANI 0day
On 4/3/07, Stefan Kelm <stefan.kelm@xxxxxxxxxx> wrote:
Has anyone actually checked what this patch does? Who are ZERT and
ISOTF respectively ("About ISOTF" at http://www.isotf.org/?page_value=0
says a lot...)?
...or is this an April Fool's joke?
The patch is 100% real and it is effective. I've seen it in action on
testbeds. I can't claim to be an unbiased observer, as I helped some
with the actual engineering process.
There's a list of team members available:
http://www.isotf.org/zert/members.htm
ZERT includes a handful of the industry's most talented reverse
engineering experts. You will know many of them if you follow
security news regularly, and some of them whose names may not be
familiar to you (like Michael Ligh and Gil Dabah) are nonetheless,
master craftsmen of the trade we call security engineering. If I were
running a security department, I'd hire them.
You don't have to listen to me, though. For the cynics out there who
are as comfortable vetting code yourself as listening to me (nothing
wrong with that, either), there's source code in the downloadable ZIP.
The code is missing for two components:
1. The patch ships the Microsoft Layer for Unicode (MSLU) in
Unicows.dll which enables us to support platforms (Windows 95/98/Me)
which are no longer officially supported by Microsoft. You can
replace that DLL with your own copy of the MSLU library if you're
concerned about its origins -- it hasn't been modified at all.
2. The patch sources static link to Gil Dabah's distorm disassembler
library (distorm.lib) as well. That library is used to identify the
vulnerable code within the affected DLL. You can build your own of
that, from source, if you wish:
http://www.ragestorm.net/distorm/
Don't worry... the patch doesn't bite. In either sense of the word.
Regards,
Matt Murphy