[Slugnet] [OT] ArsTechnica: One extra ampersand in code leads to IE
exploit
Soh Kam Yung
sohkamyung at gmail.com
Thu Jul 30 09:36:09 SGT 2009
[http://arstechnica.com/microsoft/news/2009/07/a-single-extra-resulted-in-ie-exploit.ars]
Microsoft isn't alone: I've made this mistake also. Anybody else want
to confess?
=====
Microsoft has admitted that a single extra ampersand ("&") resulted in
the recently patched Internet Explorer exploit.
By Emil Protalinski | Last updated July 29, 2009 3:22 PM CT
[...]
"The extra '&' character in the vulnerable code causes the code to
write potentially untrusted data, of size cbSize, to the address of
the pointer to the array, pbArray, rather than write the data into the
array, and the pointer is on the stack. This is a stack-based buffer
overrun vulnerability." The typo corrupted the code of the MSVidCtl
ActiveX control used by Internet Explorer.
Here is the line in question:
hr = pStream->Read((void*)&pbArray, (ULONG)cbSize, NULL);
should be
hr = pStream->Read((void*)pbArray, (ULONG)cbSize, NULL);
[...]
=====
--
Soh Kam Yung
my Google Reader Shared links:
(http://www.google.com/reader/shared/16851815156817689753)
my Google Reader Shared SFAS links:
(http://www.google.com/reader/shared/user/16851815156817689753/label/sfas)
More information about the Slugnet
mailing list