Wednesday, September 19, 2007 9:41 AM
cmosby
SANS Internet Storm Center - Flaw in MFC42 and MFC71 findfile() function
Flaw in MFC42 and MFC71 findfile() function
Published: 2007-09-18,
Last Updated: 2007-09-18 17:07:15 UTC
by Jason Lam (Version: 1)
A few readers brought it to our attention that a new 0-day vulnerability related to Windows platform has been published. The vulnerability is in the native libraries of Windows MFC42 and MFC71. The function CFileFind::FindFile() in MFC library is lacking in validation, when function argument is an overly long string, a heap overflow condition can result.
The effect of this vulnerability would be dependent on the application calling the function, some applications are easier to exploit than others. It is unknown at this point what major applications are affected by this vulnerability.
Please refer to this article for more details
Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc
Filed under: Patch Management, Microsoft Windows, Security