![]() ![]() But I decide to investigate further for any other vulnerable entry points. The discoverer from Kaspersky had already reported that the vulnerability existed in “GetChars()“. In the changed function list, most changes are related to the "GetChars()" function or related calls. I decided to analyze it and below is a screen capture of the diff between the unpatched and patched file: Since there were too many files that were changed in the patch, I decided to just google ".net framework decoder" from which I came across mscorlib.dll. Microsoft bulletin mentions "malicious decoder that can return negative offsets". In this blog, I’m presenting analysis of a different function that was also fixed in the same patch. When I was working on the analysis Kaspersky Lab published a great blog post about the story of this vulnerability. I started to analyze it as soon as I finished writing signatures for the existing patch. I had a hunch that something more was hiding. It’s a Remote Code Execution vulnerability which allows attackers to run code of his or her choice on the victim machine. This week Microsoft released a patch for a critical Silverlight issue, MS16-006, and since I worked on Silverlight signatures in the past it caught my eye.
0 Comments
Leave a Reply. |