ZERT2006-01 - Notes

Operating systems tested for unsupported systems patch:

* Windows 98
* Windows 98 SE
* Windows ME
* Windows 2000
* Windows 2000 SP3

Operating systems tested for withdrawn patch:

* Windows Server 2003
* Windows 2003 r2
* Windows Server 2003 SP1 (+/- Latest Patches)
* Windows XP
* Windows XP SP1a
* Windows XP SP2 (+/- Latest Patches)
* Windows 2000 SP4 (+/- Latest Patches)

Libraries tested:

5.0.3014.1004 
5.00.2014.200 
5.00.2014.200-SE 
5.00.3014.1003 
5.50.4133.200 
5.50.4133.200-ME 
5.50.4909.1000 
6.0.2600.0 
6.0.2800.1106 
6.0.2800.1411 
6.0.2800.1488 
6.0.2900.2180 
6.0.3790.0 
6.0.3790.1830 
6.00.2600.0000 
6.00.2800.1106 
6.00.2800.1265 
6.00.2800.1411 
6.00.2800.1461 
7.0.5112.0 
7.0.5296.0 
7.0.5450.4 - already patched, ZERT patch not applied
7.0.5770.6 - already patched, ZERT patch not applied


If your version of the library is not listed (check by viewing the
Version tab after right-clicking the file and choosing Properties),
that does not mean the patch will fail to work as expected. A common
signature was identified in the versions available to us, which marks
the vulnerable section of code. If this exact signature is not found
in your version of the library, the patch program will alert you and
abort making any changes to the system.

Testing Methodology:

The following details describe our methodology and were repeated once
for each of the library versions listed above.

* Verify that the library is vulnerable, by subjecting it to exploit
code in a malicious HTML document

* Verify that the library is capable of rendering legitimate VML
content, including shapes with a corresponding fill method

* Run the patch executable on the test platform

* Re-open the HTML document containing exploit code and ensure that
the library, and thus the calling process, is no longer vulnerable.
Among visual cues, such as the browser crashing, this step was
completed by using a debugger and making sure data is not written
outside of the buffer's boundaries.

* Repeat the second step and confirm that patched libraries do not
suffer from decreased functionality.