PGP key for vulnerability reports

Mark Doliner mark at kingant.net
Mon Jan 13 22:44:21 EST 2014


On Mon, Jan 13, 2014 at 2:35 PM, Rich Johnson (richjoh)
<richjoh at cisco.com> wrote:
> VRT-2013-1001 - Yves Younan and Ryan Pentney of Sourcefire VRT
> VRT-2013-1002 - Yves Younan and Pawel Janic of Sourcefire VRT
> VRT-2013-1003 - Yves Younan of Sourcefire VRT
> VRT-2013-1004 - Yves Younan of Sourcefire VRT

Noted. Thank you.

> For the file handling vulnerability, it might make the most sense to whitelist http/https and warn on
> all other strings, then do a CreateProcess on iexplore.exe (or pull default browser string from
> registry) and pass the URL as an argument. Our analysis showed that a ShellExecute has different
> behavior than that of the browser itself.

To clarify... you're saying we could pass the file:// URI directly to
the browser instead of going through ShellExecute? My currently line
of thinking is that the browser isn't the most appropriate handler for
file:// URIs. I think we're better off showing the file in a file
manager. Or, if the system has a handler registered for file:// URIs
then we should show a warning before calling it.

> There was also a followup email by Yves that showed the URL handling bug to be exploitable in KDE in case you hadn't seen that yet?

Yes! I did see that comment. In my testing (and in Yves' email), the
KDE file manager shows a prompt "Do you really want to execute
'file:///whatever'? That seems sufficient to me for now. I think a
better solution would be for Pidgin to show a more tailored warning...
but I personally feel that can wait until 3.0.0.

> We will be posting these advisories on our blog and releasing the signatures to the open
> source snort community in tandem with your release, so please let us know when you
> get the CVE numbers so we can add them to our local copies.

Will do.


More information about the security mailing list