Security-Protocols

[youtube]gtCJHyFhB48[/youtube]

A security researcher by the name of “jamikazu” has released a PoC exploit for the .ANI cursor flaw. This exploit works on a fully patched Windows Vista machine, and also bypasses eEye’s .ANI patch. I think its kind of funny to see Vista get ruined by this cursor flaw which Microsoft has known about for over 5 months. Below is an excerpt from the site:

“Now there is a many thirth patch available for Animated Cursor Handling and with ani checker you can check your system for these patchs. This program checks your system against the (.ANI) vulnerability. It does not do anything harmful to your computer and does not alter any files on it.”

Source: jamikazu.110mb.com

Within the first five minutes of fuzzing Publisher 2007, I found 5 different bugs.  Anyway, this one is only a DoS but the others I am still investigating.  Below is a link to the advisory:

Microsoft Office Publisher 2007 DoS

Microsoft has launched soapbox, its answer to YouTube. Looks like they are also using flash as its video format.

Peter Gutmann has written an analysis paper regarding the cost of Microsoft Windows Vista DRM. Below is an executive summary from the paper:

Windows Vista includes an extensive reworking of core OS elements in order to provide content protection for so-called “premium content”, typically HD data from Blu-Ray and HD-DVD sources. Providing this protection incurs considerable costs in terms of system performance, system stability, technical support overhead, and hardware and software cost. These issues affect not only users of Vista but the entire PC industry, since the effects of the protection measures extend to cover all hardware and software that will ever come into contact with Vista, even if it’s not used directly with Vista (for example hardware in a Macintosh computer or on a Linux server). This document analysis the cost involved in Vista’s content protection, and the collateral damage that this incurs throughout the computer industry.

I really like the executive executive summary better:

The Vista Content Protection specification could very well constitute the longest suicide note in history [Note A].

You can read the paper here:
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.txt