> So how is this a patch when you are simply automating a simple work > around? > > If this can be called a patch then we should be able to say that > Microsoft released a patch in their bulletin on this issue where they > describe exactly how to set the killbit. > > A *real* patch would actually address the vulnerable code. Our (ZERT's) VML patch was what you refer to as "real". There was space issue with not enough bytes to play with, so Gil Dabah, one of our members, re-wrote the vulnerable function in Yasm, compiled it, and hard-coded the compiled code into the binary, with room to spare, saving functionality. Code crunching is back in style. :) You can read about the vulnerability, the patch and the Microsoft patch here (technical + ASM and C code): http://zert.isotf.org/papers/vml-details-20060928.pdf As to the setSlice() patch... an alternative does not necessarily mean intrusive. A patch for the setSlice() vulnerability was already provided by Determina which was very nice and very professional. It used some ideas we developed ourselves - we liked it - it was a very efficient patch. It came out as commercial, though. We release our work under GPL and Creative Commons with full source code available. In this incident (ZERT2006-02) We provided with an automation of the workaround, to make it simple for users and organizations which are interested, and for whom a third party patch is too risky for various reasons ranging from support to liability, to protect themselves. As an example, Network admins can easily use the console version of ZProtector to run in the login script of a domain. ZProtector is not a patch per se, it is an automated kill bit software which gets updated as new unpatched vulnerabilities and 0days are disclosed/discovered/reported. For more information, you can visit the Zeroday Emergency Response Team web site at: http://isotf.org/zert/ IMPORTANT: third party patches should always be considered a last resort, and used only if the other solutions, if such exist, are not good for you. I like the idea of having an alternative. ZERT withdrew its VML patch as soon as Micorosft released the official patch. They did really good work on it. Kudos to the guys at MSRC. Thanks, Gadi.
