How Exposed IS The WMF Vulnerability?
Thomas Ptacek | December 31st, 2005 | Filed Under: Disclosure, New Findings
Window, what does this quote from the Microsoft WMF Advisory mean?
Windows Metafile (WMF) images can be embedded in other files such as Word documents. Am I vulnerable to an attack from this vector? No. While we are investigating the public postings which seek to utilize specially crafted WMF files through IE, we are looking thoroughly at all instances of WMF handling as part of our investigation. While we’re not aware of any attempts to embed specially crafted WMF files in, for example Microsoft Word documents, our advice is to accept files only from trusted source would apply to any such attempts.
WMF is the standard image format for PowerPoint. Does PowerPoint use a different WMF engine from IE and Outlook? One that doesn’t honor SETABORTPROC?
This seems like a pretty important detail to get right in the advisory. I doubt the answer “no” is correct here.
For those (like me) who haven’t followed the discussion on this vulnerability carefully, and are therefore wondering why the XP SP2 Protections didn’t stop it: the vulnerability is that WMF has a printing escape sequence that literally allows the file to specify code to run (ostensibly to handle printing failures).
Roy
January 2nd, 2006 7:09 amAn idle speculation on the reason MS is taking so bloody long to roll out a patch for the WMF vuln: they’re trying to figure out how to retain the functionality while making it “less exploitable”.
IMHO, Microsoft does not “get” security, and never has. It seems that every new exploit sees MS dragged, kicking and screaming, to the point of patching it. The mindset was typified by the name of the icon used to browse network connections (through Win2K): “Network Neighborhood”. It bespeaks a denial that the net can be a less than hospitable “place” and that its users may not all be upstanding netizens. Gaping holes like the WMF design flaw also show the bias that content providers must be given unfettered control of the computer (in the interest of “enhancing the user experience”, of course). And don’t even get me started on ActiveX.
Leave a reply