[VIM] ZDI-10-016: Microsoft Windows ShellExecute Improper Sanitization Code Execution Vulnerability

security curmudgeon jericho at attrition.org
Wed Feb 10 08:53:28 UTC 2010



On Tue, 9 Feb 2010, ZDI Disclosures wrote:

: ZDI-10-016: Microsoft Windows ShellExecute Improper Sanitization Code Execution Vulnerability
: http://www.zerodayinitiative.com/advisories/ZDI-10-016
: February 9, 2010
: 
: -- CVE ID:
: CVE-2010-0027
: 
: -- Affected Products:
: Microsoft Windows XP
: 
: -- Vendor Response:
: Microsoft has issued an update to correct this vulnerability. More
: details can be found at:
: 
: http://www.microsoft.com/technet/security/bulletin/MS10-007.mspx
: 
: -- Disclosure Timeline:
: 2009-07-20 - Vulnerability reported to vendor
: 2010-02-09 - Coordinated public release of advisory

This CVE crosses with MS10-002 / 978207, tracked by OSVDB 61909 "Microsoft 
IE Unspecified Crafted URL Handling Arbitrary Code Execution". Per 
previous disclosure, this was reported to MS on 2009-11-15.

Your advisory says this affects Windows XP, not MSIE specifically, and 
crosses to MS10-007.

Can you clarify please?


More information about the VIM mailing list