Re: Third-party patch for CVE-2007-3896, UPDATE NOW

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: Third-party patch for CVE-2007-3896, UPDATE NOW
From: "KJK::Hyperion" <hackbunny@xxxxxxxxxx>
Date: Wed, 17 Oct 2007 14:16:21 +0200
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <47118759.40608@xxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: s0ftproject
References: <alpine.DEB.0.82.0710051231540.5461@xxxxxxxxxxxxxxxx><096A04F511B7FD4995AE55F13824B833213116@contoso><1074747703.20071006181321@xxxxxxxxx><ADEBD71E92984607B8058F44523CD231@control3><5980.1191770461@xxxxxxxxxxxxxxxxxxxxxxx><22F925539B944A4A89DB24977AA02DC2@control3> <1797187150-1191814472-cardhu_decombobulator_blackberry.rim.net-1832988594-@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <470C2923.5030904@xxxxxxxxxx> <47118759.40608@xxxxxxxxxx>
User-agent: Thunderbird 2.0.0.6 (Windows/20070728)

KJK::Hyperion ha scritto:
> The present patch is dramatically under-tested and it has underwent no
> quality assurance procedure whatsoever, so please deploy with the
> greatest care.

Indeed, I just found a gruesome memory leak in it. A silly bug, brown
paperbag-grade shame. If you installed my patch, upgrade RIGHT THIS
MOMENT NOW or slowly die:

<http://spacebunny.xepher.net/hack/shellexecutefiasco/>

For the press guys watching: THIS IS VERY IMPORTANT, more important than
the original patch was. I don't expect "shitty patch actually shitty" to
seriously make the big headlines, but, hey, a heads up: there is a good
reason Microsoft takes a lot of time to put patches out, after all. I
don't do this for the reputation, either: I already made a U-turn on my
feelings about the vulnerability, I'm not too proud to admit my mistakes
(god knows how big the egos can get in FD)

References:
- URI handling woes in Acrobat Reader, Netscape, Miranda, Skype
  - From: Juergen Schmidt
- RE: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype
  - From: Roger A. Grimes
- Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype
  - From: Thierry Zoller
- Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype
  - From: Geo.
- Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype
  - From: Valdis . Kletnieks
- Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype
  - From: gjgowey
- Third-party patch for CVE-2007-3896 (Internet Explorer 7 invalid URI handling) available
  - From: KJK::Hyperion

Prev by Date: Cisco Security Advisory: Cisco Unified Communications Web-based Management Vulnerability
Next by Date: Re: SSH attacks - anyone else seen these?
Previous by thread: Third-party patch for CVE-2007-3896 (Internet Explorer 7 invalid URI handling) available
Next by thread: Re: URI handling woes in Acrobat Reader, Netscape,Miranda, Skype
Index(es):
- Date
- Thread