Did Microsoft pull an Ilfak? Microsoft’s patch under a magnifying glass

So, Microsoft released a patch ahead of schedule. We can only applaud that.

But what does that patch do?
Exactly what Ilfak Guilfanov’s patch did, only he built it in a few hours (plus some testing).

Microsoft disallowed SETABORT. Same as Ilfak’s… rearranged a bit. See for yourselves below. If that is the best solution, we see no harm in that either. It just seems that MS06-001 is Ilfak’s patch in a prettier outfit.

We understand the need for extensive testing, so the time differential in this case can be accepted. And yet…
The new patch was released today. After patching, the new gdi32.dll is dated to the 28th of December. What’s the date today?

What’s that all about? It makes you wonder, doesn’t it?

Well, why don’t you see for yourselves? Here is what Microsoft did, as bindiff shows.

Old GDI32 has the bug here:

.text:77F24914                 movzx   eax, word ptr [ebx+6]
.text:77F24918                 cmp     eax, 0Fh
.text:77F2491B                 jz      loc_77F25067    ; default
.text:77F24921                 push    0               ; LPVOID
.text:77F24923                 lea     ecx, [ebx+0Ah]
.text:77F24926                 push    ecx             ; LPCSTR
.text:77F24927                 movzx   ecx, word ptr [ebx+8]
.text:77F2492B                 push    ecx             ; int
.text:77F2492C                 push    eax             ; int
.text:77F2492D                 push    dword ptr [ebp-7Ch] ; HDC
.text:77F24930                 call    Escape
.text:77F24935                 jmp     loc_77F23F23

The patched GDI32.DLL contains this code instead:

.text:77F24914                 movzx   ecx, word ptr [ebx+6]
.text:77F24918                 push    ecx
.text:77F24919                 call    _IsAllowedWmfEscape@4 ; IsAllowedWmfEscape(x)
.text:77F2491E                 test    eax, eax
.text:77F24920                 jz      loc_77F2506C    ; default
.text:77F24926                 push    0               ; LPVOID
.text:77F24928                 lea     eax, [ebx+0Ah]
.text:77F2492B                 push    eax             ; LPCSTR
.text:77F2492C                 movzx   eax, word ptr [ebx+8]
.text:77F24930                 push    eax             ; int
.text:77F24931                 push    ecx             ; int
.text:77F24932                 push    [ebp+var_7C]    ; HDC
.text:77F24935                 call    _Escape@20      ; Escape(x,x,x,x,x)
.text:77F2493A                 jmp     loc_77F23F23

… and the new function itself:

.text:77F42D66 ; __stdcall IsAllowedWmfEscape(x)
.text:77F42D66 _IsAllowedWmfEscape@4 proc near         ; CODE XREF: PlayMetaFileRecord(x,x,x,x)+ACD
.text:77F42D66 arg_0           = dword ptr  8
.text:77F42D66                 mov     edi, edi
.text:77F42D68                 push    ebp
.text:77F42D69                 mov     ebp, esp
.text:77F42D6B                 xor     eax, eax
.text:77F42D6D                 cmp     [ebp+arg_0], 9
.text:77F42D71                 jz      short loc_77F42D7A
.text:77F42D73                 cmp     [ebp+arg_0], 0Fh
.text:77F42D77                 jz      short loc_77F42D7A
.text:77F42D79                 inc     eax
.text:77F42D7A loc_77F42D7A:                           ; CODE XREF: IsAllowedWmfEscape(x)+B
.text:77F42D7A                                         ; IsAllowedWmfEscape(x)+11
.text:77F42D7A                 pop     ebp
.text:77F42D7B                 retn    4
.text:77F42D7B _IsAllowedWmfEscape@4 endp

(got anything to tell Ren&Stimpy? Email us: rennstimpy@securiteam.com)

Print Friendly, PDF & Email

Comments are closed.