PGP key for vulnerability reports

[Daniel Atallah]

On Mon, Nov 18, 2013 at 5:27 PM, Richard Johnson <rjohnson at sourcefire.com>wrote:

> Windows can be forced to map the first page via a VirtualAlloc if the
> memory is sufficiently filled / fragemented. This no longer applies in
> Windows 8 I believe but for all others it does. I used to work on the
> Microsoft Security team and can confirm this to be true. I'm not positive
> about whether there are specific mitigations against this in OSX or vanilla
> Linux kernel. Either way, most vendors consider a writeAV to be
> exploitable.
>
> Yeah, the URL handling bug is particularly annoying because we cannot
> write a signature for it from an IPS perspective.
>

I've looked into the URL handling issue and this is what's going on:
We actually don't do any filtering on the URLs based on anything other than
URL scheme (mainly because we can't be in the business of deciding what
links are safe or not past a trivial level of some scheme whitelisting).
The way it works is pretty simple: only "http", "https", "ftp", "mailto"
schemes are passed to ShellExecute as classes to be handled - anything else
is sent to ShellExecute to be handled by the "http" class.
The way that I understand it, the browser is then responsible for handling
whatever gets past that point (the same effect as if the user clicked the
link directly in the browser).

If there is a better strategy that's reasonable to implement or there's an
incorrect assumption in the above, we'd be interested to know about it.

-D
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20131123/2f8d9160/attachment.html>