| Mirror Sites | Main | IXP (JP) | Wiretip (US, OH) | CastleCops (US) |
| Latest News: | |
| Note | ZERT thanks the individuals who have voluntarily provided site mirrors in order to help in this community effort. |
| 03-Apr-2007 |
Microsoft has released a
patch
for the Stack buffer overflow in ANI Handling under Microsoft Windows 0Day. The patch is
for Windows 2000 with Service Pack 4, Windows XP with SP2, Windows XP Professional x64, Windows
Server 2003 and Vista. Those using a supported Microsoft operating system
should use the official Microsoft patch and should not use the ZERT patch. The ZERT2007-01 patch is only for unsupported versions of Windows. |
| 31-Mar-2007 | ZERT has released an advisory and a patch for ZERT2007-01 (Stack buffer overflow in ANI Handling under Microsoft Windows 0Day). |
| 11-Nov-2006 | Broadcom Wireless adapter advisory |
| 12-Oct-2006 | Microsoft released a patch to CVE-2006-3730 on 10 October. |
| 30-Sept-2006 | Determina has released a patch for ZERT 2006-02 (Buffer Overflow in ActiveX 0Day). ZERT has released ZProtector, a patch for the ZERT2006-02 (Buffer Overflow in ActiveX 0Day) exploit. See Patches below. |
| 29-Sept-2006 | ZERT has revised the ZERT2006-01 (Buffer Overflow in VML 0day) patch to work with versions of Microsoft Windows which have exited mainstream support: Windows 98 (RTM, SE), Windows 2000 (RTM, SP1 through SP3) and Windows XP (RTM). |
| 28-Sept-2006 | A technical write-up on ZERT2006-01 is now available, see Papers below. |
| 27-Sept-2006 | The ZERT team extends a hearty well-done to Microsoft for their efforts in creating the MS06-055 security patch. We especially thank, and applaud, the Microsoft Security Response Center (MSRC) for maintaining work of the highest quality and their continuous dedication to the security of their customer-base and of the Internet. |
ZERT is a group of engineers with extensive experience in reverse engineering software, firmware and hardware coupled with liaisons from industry, community and incident response groups. While ZERT works with several Internet security operations and has liaisons to anti-virus and network operations communities, ZERT is not affiliated with a particular vendor.
ZERT members work together as a team to release a non-vendor patch when a so-called "0day" (zero-day) exploit appears in the open which poses a serious risk to the public, to the infrastructure of the Internet or both. The purpose of ZERT is not to "crack" products, but rather to "uncrack" them by averting security vulnerabilities in them before they can be widely exploited.
It is always a good idea to wait for a vendor-supplied patch and apply it as soon as possible, but there will be times when an ad-hoc group such as ours can release a working patch before a vendor can release their solution.
When a threat is detected in the wild, the group will divide its patch creation efforts as follows:
Please keep in mind while the group performs extensive testing of any patches before releasing them, it is impossible for us to test our patches with each possible system configuration and in each usage scenario. We validate patches to the best of our ability, noting the environments in which the tests were performed and the test results.
For information about ZERT members click here.
ZERT is pleased to announce ZProtector. ZProtector is a framework for patching 0day vulnerabilities and is designed to work with Microsoft Windows 95 through Windows Server 2003. It does not need to be uninstalled once a vendor patch becomes available.
For ZERT2006-02, ZProtector does not not provide a patch per se but disables the ActiveX control vulnerable to this exploit. See below for more information and download instructions.
The following patches are available. Please keep in mind that while ZERT tests these patches, they are NOT official patches with vendor support and are provided as-is with no guarantee as to fitness for your particular environment. Use them at your own risk or wait for a vendor-supported patch.
| Name | Description & Notes | Release History | Downloads |
|---|---|---|---|
|
ZERT2007-01: Stack buffer overflow in ANI Handling under Microsoft Windows 0Day
Vendor Patch and information is available here. |
A specially-crafted animated cursor (ANI) file causes a buffer overflow in the stack of the Windows User API client library (USER32.DLL), allowing arbitrary code execution under Microsoft Windows 2000, XP SP2, Server 2003 and Vista. For more information, including a test to see if your system is vulnerable, read the ZERT 2007-01 advisory. | 2007-April-10 - v3.01 of ANI Patch patch has been released to protect against ZERT2007-01. |
ZERT has released ANI Patch to protect against this vulnerability. Click here to download ANI Patch. (Size: 475KB, MD5 sum: da7a206e78f9bd6ec1f15804ae1896e1) A patch is available from eEye which addresses the vulnerabilty. eEye's patch works by preventing the loading of animated cursor icons from fon-local locations, such as the Internet. As such, this patch does not mitigate the vulnerability, only remote exploits. It can still be exploited locally by file copying, transmission through a .ZIP archive file and so forth. |
|
ZERT2006-02: Buffer Overflow in Internet Explorer 6 on Microsoft
Windows XP.
Vendor Patch and information is available here. |
A buffer overflow in an ActiveX control for Internet Explorer 6 for Microsoft Windows XP with SP2 installed can crash the web browser and allow remote code execution. A test is available to see if your web browser is susceptible to the vulnerability. Please be aware if your web browser is vulnerable it will crash when the test is performed. Click here to test your web browser. | 2006-Sept-30 - ZProtector updated to protect against ZERT2006-02. |
A patch is available from Determina. Click here to visit Determina's web site for more
information.
ZERT has updated ZProtector to protect against this vulnerability. Click here to download ZProtector. (Size: 167KB, MD5 sum: e22dc5bdcedc3236d1f4f22111237646) |
|
ZERT2006-01: Buffer overflow in Vector Markup Language (VML) library file used by
Microsoft Internet Explorer and Outlook
Vendor patch available as of 26-Sept-2006. Click here for more information. |
A buffer overflow in the Microsoft Vector Graphics Rendering (VML) engine
(filename: VGX.DLL) allows remote code execution.
For information on how to test if you may be vulnerable to the exploit click here.
If you erased the ZERT2006-01 patch from your system and cannot uninstall it, install Microsoft's patch and then click on Start → Run and type ( or copy & paste ) the following line when prompted to run a program: %windir%\system32\regsvr32.exe "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll" Click on the OK button when done, and your system should now be protected by Microsoft's patch. |
2006-Sept-29 - v2.0 of the ZERT2006-01 patch has been released for use with older versions of Microsoft Windows outside of Microsoft's mainstream
support.
2006-Sept-29 - v1.0 of ZERT2006-01 patch withdrawn. Please use the Microsoft patch instead. 2006-Sept-22 - v1.0 of ZERT2006-01 patch has been released. |
Click here for download instructions and more information. |
[TECHNICAL] Analysis of ANI "anih" Header Stack Overflow Vulnerability, Microsoft Security Advisory 935423 - by Michael Hale Ligh with help from Andre (Dre) and various other members of mal-awares. Revision 31-March-2007.
[TECHNICAL] Analysis of CVE-2006-4868 and Patch Description - by Michael Hale Ligh with help from ZERT members. Revision 1.0 - 04-Oct-2006.
To participate in testing patches against 0day threats, please send email to zert-beta-testers@isotf.org for more information, or click here to join the mailing list.
To receive notice of patch releases, updates and withdrawals, please send email to zert-patches@isotf.org for more information, or click here to join the mailing list.
If you have a general question for ZERT, please send email to zert-info@isotf.org.
![[ Some Rights Reserved ]](somerights20.gif)
This work is licensed under a Creative Commons Attribution-ShareAlike 2.5 License.
Last revised 2007-Apr-04 12:55AM PDT.