Dear Michele Cicciotti, --Thursday, December 21, 2006, 6:20:54 PM, you wrote to full-disclosure@xxxxxxxxxxxxxxxxx: >> There is interesting thing with event logging on Windows. The only >> security aspect of it is event log record tampering and performance >> degradation, but it may become sensitive is some 3rd party software is >> used for automated event log analysis. MC> I doubt this. The event logs don't contain the actual formatted MC> string, because the template string is localized and only retrieved MC> when the entry is displayed - what is logged is just a message id MC> and the string inserts (see documentation for EVENTLOGRECORD). MC> FormatMessage (which is used to build the full message to display to MC> the user) isn't the culprit, either, because it doesn't operate MC> recursively (that would have bizarre consequences, since As I wrote, my message is semi-offtopic, because it's more fun than any security vulnerability here. Yes, probably this bug only affects event viewer itself. I don't understand how and why Microsoft achieved this effect in event viewer, which is, by the way, security tool, and if it's hard for different vendor to make same mistake. It doesn't look like Easter egg, but if FormatMessage does not recursion it needs to be specially coded and it does nothing except this bug. Bug, that needs to be specially coded is new funny bug category, isn't it? -- ~/ZARAZA http://www.security.nnov.ru/
