Author Topic: New MS hole may get an out of band patch!  (Read 1856 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
New MS hole may get an out of band patch!
« on: July 22, 2009, 08:49:02 PM »
Hi malware fighters,

The new MS Direct-X hole could be more serious as thought at first.

This bug goes much deeper than was thought at first, re:
http://addxorrol.blogspot.com/2009/07/poking-around-msvidctldll.html
The patch which consisted in setting a kill-bit did nothing fundamentally about the underlying hole, this issue was commented here:
http://blog.ncircle.com/blogs/vert/archives/2009/07/enough_is_enough.html

Micosoft knew about the issue for over one year and had already started to contemplate a patch for it as they got startled by seeing this deep bug that could transgress to third party software being abused in the wild. An out of band patch might be in the bargain if more abuse is seen. The hole deep inside Windows seems to be exploitable in various other ways, so setting a kill-bit is not enough.
So MS could have unwillingly introduced leaks into third party software that would not be so easily patched.
What can we do against this bug a skeleton that has now crept out of the Microsoft cupboard?
SafeArray another bad concept for a global standard? Horrendously cruddy........the outset is simple, but it rapidly degrades into the stinking mess you see today because the design flaws are right at the center, and are going to haunt us rather sooner than later....

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!