Microsoft Visual Studio vulnerability Nov 23 2010 05:12PM
jabea jabea net
Microsoft Visual Studio vulnerability


In Microsoft Visual Studio 2010 the DLL CPFE.DLL is vulnerable. A badly
written source file make the application crash at loading. That make it
really easy to make a simple denial of service against the application by
using CVS or SVN repositories. Exploitation of this bug is not yet know or


To trigger the condition it just need 2 lines of code in any source file;

extern class D
extern unsigned int     exemple;

The application crash at the exact time it detect that error pattern.
 (Access violation at 0x3f898354: read of address 0xfffffffc)

You need to edit the source file outside of the application to remove


A denial of service against the application. If a exploit got written for
that, like a forged source file that could inject shell code, then it will
be easy to infect distant computer using CVS/SVN because source file are
usually thrusted to be virus safe because they are in plain text. (Not
counting that usually real-time antivirus that are configured to scan file
type donâ??t usually scan source file)
(Tested against Visual Studio Express 2010)


Use another IDE, or switch back to Visual Studio 2008


Vendor got informed of that bug at this time by me:  6/17/2010 8:23:04 PM
- On Microsoft connect at first:
http://connect.microsoft.com/VisualStudio/feedback/details/568619. (Bug
confirmed by Microsoft)
- On secure (at) microsoft (dot) com [email concealed] after.
CERT/US-CERT got informed: 11/15/2010 9:51 PM
- I got a return of CERT: 11/19/2010 9:12 AM
-- CERT direct me the vendor as they cannot work on the case (too much
on their side). (VU#776108)
I emailed the Microsoft one last time: 11/19/2010 9:15 AM.

Without answer I am now exhausted to try the report this bug correctly. So
itâ??s the reason of this disclosure.


This vulnerability was discovered by Philippe Levesque

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus