http://securityintelligence.com/ibm-x-force-researcher-finds-significant-vulnerability-in-microsoft-windows/#.VJeJDF4AKD
Convenient functions that change array sizes can obviously be very dangerous unless they're fully locked down.
The article makes it seem that one would have to be pretty sharp to exploit this vulnerability, but it does say:
Oh, and while DLL Hell supposedly was fixed long ago, it came back in 2010 or so. Dr Dobbs. Ah, the joys of being a Winders developer, amirite?
Cheers,
Scott.
Cutting to the chase, VBScript permits in-place resizing of arrays through the command “redim preserve.” This is where the vulnerability is.redim preserve arrayname( newsizeinelements )
VBScript.dll contains a runtime evaluation method, CScriptRuntime::Run(VAR *), which farms out the SafeArray redimension task to OleAut32.dll with the SafeArrayRedim(…) function. Essentially, what happens is that fairly early on, SafeArrayRedim() will swap out the old array size (element count) with the resize request. However, there is a code path where, if an error occurs, the size is not reset before returning to the calling function, VBScript!CScriptRuntime::Run().
Convenient functions that change array sizes can obviously be very dangerous unless they're fully locked down.
The article makes it seem that one would have to be pretty sharp to exploit this vulnerability, but it does say:
Hopefully, if you’ve made it this far, you have a pretty good idea how powerful the data attacks facilitated by this bug can be. Again, our disclosure was originally submitted a number of months ago, and while we are not exclusive with the exploitation techniques described, it contributes well toward our goal of describing a significant vulnerability and how it was turned into a viable proof-of-concept attack toward disclosure. We incorporated product coverage for the OLE vulnerability with our network IPS, and so far, the signature we developed has not fired. However, for the attack techniques discussed, I think it is a only matter of time before we see them in the wild.
Oh, and while DLL Hell supposedly was fixed long ago, it came back in 2010 or so. Dr Dobbs. Ah, the joys of being a Winders developer, amirite?
Cheers,
Scott.