[funsec] Microsoft knew about the WMF flaw for years

Richard M. Smith rms at computerbytesman.com
Mon Jan 16 09:03:07 CST 2006


Stephen Toulouse writing in a Microsoft security blog has now confirmed that
the Microsoft has known about the WMF flaw for many years:

   Looking at the WMF issue, how did it get there?

   "The potential danger of this type of metafile record was 
   recognized and some applications (Internet Explorer, notably) 
   will not process any metafile record of type META_ESCAPE, 
   the overall type of the SetAbortProc record."

   "The reason Windows 9x is not vulnerable to a "Critical" 
   attack vector is because an additional step exists in the Win9x 
   platform: When not printing to a printer, applications will 
   simply never process the SetAbortProc record."

This blog entry raises a number of important questions about Microsoft's
policy for handling security flaws in the Windows operating system:

   1.  Given the obvious dangers with SetAbortProc records, why
       didn't Microsoft simply disable the feature in the Windows
       operating system altogether and come up alternate for 
       aborting printing of WMF files?  Why were all the inadequate 
       work-arounds in application code pursued instead?

   2.  How come word about the dangers of the WMF file
       format did not make it to the Windows NT, 2000, and XP
       development teams as well as the team responsible for
       the Picture and FAX viewer?

   3.  Given the history of problems with WMF files, why
       hasn't support for them been removed from Internet
       Explorer?  Also shouldn't WMF files be marked in
       the registry as not safe-for-downloading?  

Richard M. Smith


More information about the funsec mailing list