Yet in my defense, CERT calls it a "buffer overflow" ;)
> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of Peter Ferrie > Sent: Thursday, December 29, 2005 11:51 AM > To: [email protected] > Subject: RE: Re[2]: [Full-disclosure] test this > > >TrendMicro has released pattern file = 3.135.00 It appears > to pick up > >all the trojans using the WMF exploit as of right now. > Variants could > >affect this however. > > If they're blindly detecting anything that contains the > SetAbortProc, then they're detecting the legitimate use of a > documented function. > > >Is this buffer overflow pretty specific like the older GIF > exploit? If > >I remember correctly, there were really only two ways to > make the GIF > >exploit work, so the detection was pretty solid. Is this exploit > >similar? Or does it have some trick point that could be used to fool > >known sigs? > > Perhaps you should read about it on Microsoft's site. > It's not a buffer overflow. WMF files since at least Windows > 3.0 days have been allowed to carry executable code in the > form of their own SetAbortProc handler. This is perfectly > legitimate, though the design is a poor one. The only thing > that has changed is the code that is being executed. > > 8^) p. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
