<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
GIFs. We love them. And we love them <a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3174">giving
us remote code execution </a>even more than we love them showing
us <a href="http://imgur.com/gallery/40Nd2">how to escape from jail</a>.
<br>
<br>
The last CANVAS release (the base release, since I also consider the
VulnDisco, D2, SCADA+, etc. exploit packs as releases!) has a
working exploit for the July Microsoft Patch Tuesday DirectShow GIF
bug. (I hate it when people refer to things as the CVE - like you
have those all memorized.)<br>
<br>
The current exploit supports IE8 only, but on Windows 7 and XP
(known in the exploit community as the "Microsoft OS's with market
share" :>). We started this exploit thinking it would be a nice
easy exercise, and then it turned into the exploit from hell. But it
is finally done! Well. An exploit is never truly done. For example
"with minor amounts of work" this exploit can be ported over to IE9
and 10 from IE8. And then you ask "Can it work within Silverlight?
and get back "Maybe..."<br>
<br>
So you can spend years on a simple client-side if it's worth it to
you, or simply as performance art. In this particular case, it takes
a while to figure out how to even reach the vulnerability from IE,
as opposed to from "Media Player Classic", which is what the POC
runs inside. <br>
<br>
In any case, we hope those of you with CANVAS (which is all of you,
right?) test it out and let us know how well it works for you in
your environment. Always curious to see where this kind of work gets
you in the "reach out and touch someone" sense! <br>
<br>
-dave<br>
<br>
<br>
<br>
</body>
</html>