[http://arstechnica.com/microsoft/news/2009/07/a-single-extra-resulted-in-ie-exploit.ars]
Microsoft isn't alone: I've made this mistake also. Anybody else want
to confess?
=====
Microsoft has admitted that a single extra ampersand ("&") resulted in
the recently patched Internet Explorer exploit.
By Emil Protalinski | Last updated July 29, 2009 3:22 PM CT
[...]
"The extra '&' character in the vulnerable code causes the code to
write potentially untrusted data, of size cbSize, to the address of
the pointer to the array, pbArray, rather than write the data into the
array, and the pointer is on the stack. This is a stack-based buffer
overrun vulnerability." The typo corrupted the code of the MSVidCtl
ActiveX control used by Internet Explorer.
Here is the line in question:
hr = pStream->Read((void*)&pbArray, (ULONG)cbSize, NULL);
should be
hr = pStream->Read((void*)pbArray, (ULONG)cbSize, NULL);
[...]
=====
--
Soh Kam Yung
my Google Reader Shared links:
(http://www.google.com/reader/shared/16851815156817689753)
my Google Reader Shared SFAS links:
(http://www.google.com/reader/shared/user/16851815156817689753/label/sfas)
_______________________________________________
Slugnet mailing list
[email protected]
http://wiki.lugs.org.sg/LugsMailingListFaq
http://www.lugs.org.sg/mailman/listinfo/slugnet
