From 701acf48f9c132c8a391ae30028cd2829861d896 Mon Sep 17 00:00:00 2001 From: d3adc0de Date: Thu, 16 Sep 2021 08:22:46 +0100 Subject: [PATCH] Updated README --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 5e46a7c..ea843ba 100644 --- a/README.md +++ b/README.md @@ -60,9 +60,10 @@ let's see the most important: and according to [MS documentation](http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf), this value can be 0 -**NOTE1**: Defender now detects the CAB file using the `_IMAGE_DOS_HEADER.e_magic` value as a signature, potentially avoiding -PE files to be embedded in the CAB. Can this signature be bypassed? As observed before, this is a patched vulnerability, -so I'm not planning to release anything more complex than this. Up to the curious reader to develop this further. +**NOTE1**: Defender now detects if the CAB file contains a PE by using the `_IMAGE_DOS_HEADER.e_magic` value as a +signature, potentially avoiding PE files to be embedded in the CAB. Can this signature be bypassed? +I'm not sure but, as observed before, this is a patched vulnerability, so I'm not planning to invest much more time +on this. Up to the curious reader to develop this further. **NOTE2**: Microsoft Patch blocks arbitrary URI schemes, apparently using a blacklist approach (this is just a supposition)