Viraptor's dev-log

Jeroen Frijters discovered lately a bug in .NET 2.0 on Windows platforms, that allows to execute any code from a “verifiable and partially trusted C# application“. That sucks really. Now every .NET code running from browser can also exploit the system. Ok - security problem - that happens to everybody and we should’ve already learnt to forgive that.

Not this time. Bug was known already, as it was “reported by someone else in August” and “bug was subsequently fixed in September“. Patches only made it to Vista and rest will get patches through Windows Update “sometime in the next few months“. Only thing you can really say is WTF? Two guys independently reported this bug already.

Who knows, how many know about it, but didn’t report it and how many run into it and know they can crash the system with that, but can’t make a real exploit? Once again I think POC should be released now. Seriously - one month was enough to patch it in Vista and 4 months weren’t enough for XP? MS - you don’t release patches when you like it - you release them, when they’re needed. What can change this policy? Someone owning MS developer’s machine with this bug and stealing Vista code? Owning Balmer’s desktop with 0-day and publishing his private mail?

It’s a pity that this exploit would be too valuable in real-world to waste it on “it’s a bad patching cycle” propaganda. Maybe one day…

This entry was posted on Thursday, December 7th, 2006 at 11:55 am and is filed under General, security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.