HD Moore 动作果然快，分析已经出来了。

http://www.breakingpointsystems.com/community/blog/2009_microsoft_tuesday_coverage

大意就是只能DOS，不能利用。

这次更新包含三个漏洞，第一个在去年9月份出来的，只能DOS，后两个比较特殊，也是不能利用，原因比较复杂，他是这么描述的：

The next two bugs (CVE-2008-4834 and CVE-2008-4835) are a little different. These bugs are triggered when the service attempts to zero out a memory buffer that is smaller than a static value. If the attacker sends a request with certain fields set to values smaller than the static buffer size, the resulting operation overwrites the memory after the buffer with NULL bytes. Since we are dealing with driver code and the first buffer is allocated in a kernel pool, the subsequent overwrite usually corrupts the following pool header with a series of NULL bytes. 

This is where things start to get interesting. The Microsoft bulletin rates this patch as Critical and these two flaws as Remote Code Execution, but in order to execute code, there needs to be a way to leverage a small NULL byte overwrite of a kernel pool header to somehow gain control of execution. While there has been   in this area, it has focused on using controllable values to overwrite header entries. As far as I know, there is no easy way to leverage a NULL byte overwrite of a pool header into code execution. For this reason, I would agree that these bugs are Critical in the sense that they should be patched as soon as possible (to prevent an easy DoS if nothing else), but I do not believe they will result in code execution. Of course, I would love to be proven wrong :-)


注意其中他引用的一篇paper来自80sec存放的syscanhk大会的镜像，老外也关注80sec，顶一下。

当然，很多曾经被认为是不能利用的漏洞后来也被牛人搞出来利用方法了，比较著名的像是MS08-001，还有dowd 的那个 Flash 漏洞的利用。这次是否也会这样呢？