[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Microsoft Visual Studio vulnerability

Microsoft Visual Studio vulnerability


In Microsoft Visual Studio 2010 the DLL CPFE.DLL is vulnerable. A badly
written source file make the application crash at loading. That make it
really easy to make a simple denial of service against the application by
using CVS or SVN repositories. Exploitation of this bug is not yet know or


To trigger the condition it just need 2 lines of code in any source file; 

extern class D
extern unsigned intÂÂÂÂ exemple;

The application crash at the exact time it detect that error pattern.
Â(Access violation at 0x3f898354: read of address 0xfffffffc)

You need to edit the source file outside of the application to remove


A denial of service against the application. If a exploit got written for
that, like a forged source file that could inject shell code, then it will
be easy to infect distant computer using CVS/SVN because source file are
usually thrusted to be virus safe because they are in plain text. (Not
counting that usually real-time antivirus that are configured to scan file
type donât usually scan source file)
(Tested against Visual Studio Express 2010)


Use another IDE, or switch back to Visual Studio 2008


Vendor got informed of that bug at this time by me:Â 6/17/2010 8:23:04 PM
- On Microsoft connect at first:
http://connect.microsoft.com/VisualStudio/feedback/details/568619. (Bug
confirmed by Microsoft)
- On secure@xxxxxxxxxxxxx after.
CERT/US-CERT got informed: 11/15/2010 9:51 PM
- I got a return of CERT: 11/19/2010 9:12 AM
-- CERT direct me the vendor as they cannot work on the case (too much
on their side). (VU#776108)
I emailed the Microsoft one last time: 11/19/2010 9:15 AM. 

Without answer I am now exhausted to try the report this bug correctly. So
itâs the reason of this disclosure.


This vulnerability was discovered by Philippe Levesque