Tuesday, January 10, 2006

The Spin Begins - Internet Explorer WMF DoS Vulnerability

Several days after the WMF DoS PoC was released, Lennart Wistrand @ Microsoft has responded on the MSRC blog.

"Lennart Wistrand here. I wanted to write a few lines about the public post made over the weekend about a new specially crafted WMF image that could potentially cause the application using the Windows Graphics Rendering Engine to crash. As it turns out, these crashes are not exploitable but are instead Windows performance issues that could cause some WMF applications to unexpectedly exit. These issues do not allow an attacker to run code or crash
the operating system. They may cause the WMF application to crash, in which case the user may restart the application and resume activity. We had previously identified these issues as part of our ongoing code maintenance and are evaluating them for inclusion in the next service pack for the affected products."

Wow. So now DoS is a performance issue. I rather Microsoft say "It isn't very dangerous yet, it isn't being exploited in the wild and we have more important issues to fix".

Important issues like:

EEYEB-20050505 - Remote Code Execution Vuln in IE and Outlook
EEYEB-20050627 - Remote Code Execution Vuln in Windows W2k-2003
EEYEB-20050801 - Remote Code Execution Vuln in Windows W2K-2003
EEYEB-20051017 - Remote Code Execution Vuln in IE and Media Player (metafile/media file??)

Let's not get into the DoS, Privilege Escalation, Security Bypass, System Access vulnerabilities listed for a wide range of Microsoft products on Secunia.

And those spoofing problems with IE that help phishers attack normal internet users.

Microsoft, you are doing better that is for sure, but the spin isn't needed. We are all adults here...

No comments:

Post a Comment