Sunday, January 22, 2006

Windows Meta File (WMF) Vulnerability

As we mentioned recently, Steve Gibson started quite a kerfufle when he suggested the serious security vulnerability in the Windows Meta File (WMF) graphics format was an intentional "backdoor." In the current Security Now! podcast (#23) he backs off that a little. First of all, he notes that "backdoor" has a lot of very negative baggage, and says he never intended to imply that Microsoft had Evil Purposes in mind. Secondly, one of his preliminary conclusions as to the exact nature of the code needed to trigger the vulnerability (i.e. record length set to 1 byte in the header) were not correct in general, but due to the way his test program was constructed.

The fundamental problem is that under certain circumstances some versions of Windows will execute a program embedded in the WMF data file format. This is something that sound programming practice strongly forbids, and it led to a very dangerous vulnerability in Windows when evil hackers discovered how to exploit it.

Gibson now has a free test program to determine if a machine is vulnerable. He has confirmed that Windows 98 and Windows 95 systems are not vulnerable to this exploit. They simply will not execute the WMF code period. Certain versions of NT are vulnerable and will not be patched by Microsoft. Patches have been issued by Microsoft for the newer versions of Windows and even for Vista, the not-yet released version, all of which are subject to this,

There's really no question that the setabortproc() procedure that allows WMFs to offer up code to Windows for processing was deliberately introduced. It was, and it was there before Win 95.. This is not a "buffer overrun" issue or a bug. It's a "feature." There's really no convincing explanation for why this vulnerability was introduced, intentionally or not, with the later versions of Windows. It's unlikely we'll ever know why it happened. It could be that even Microsoft does not know why it was done, since it was an undocumented "feature."

This page is from the original Don't Let Me Stop You blog. We have moved to a new site: Visit DLMSY on WordPress.

Return to main page of Don't Let Me Stop You