Charles Morris <[EMAIL PROTECTED]> wrote: > ... iexplore.exe calls CreateProcess() [insecurely]. ... > Microsoft was notified, they told me it was a "non issue" ...
References I have to similar behaviour: Useless tidbit [MS AntiSpyware, program.exe trick] http://lists.grok.org.uk/pipermail/full-disclosure/2005-May/033909.html iDEFENSE Security Advisory 11.15.05: Multiple Vendor Insecure Call to CreateProcess() Vulnerability http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038789.html Window's O/S [IE notepad.exe in Desktop] http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/039095.html http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/039109.html http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/039116.html Seems that Microsoft recognized and promised to fix this in Antispyware (now Windows Defender), I do not see why they cannot fix IExplore also. Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
