[Dshield] Fwd: Microsoft knew about the WMF flaw for years

Chris Brenton cbrenton at chrisbrenton.org
Tue Jan 17 10:39:48 GMT 2006

Interesting post from Richard Smith to one of the SF lists.

-------- Forwarded Message --------
> From: Richard M. Smith <rms at computerbytesman.com>
> To: bugtraq at securityfocus.com
> Subject: Microsoft knew about the WMF flaw for years
> Date: Mon, 16 Jan 2006 10:08:49 -0500
> Hi,
> Stephen Toulouse writing in a Microsoft security blog has now confirmed that
> the Microsoft has known about the WMF flaw for many years:
>    Looking at the WMF issue, how did it get there?
>    http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx
>    "The potential danger of this type of metafile record was 
>    recognized and some applications (Internet Explorer, notably) 
>    will not process any metafile record of type META_ESCAPE, 
>    the overall type of the SetAbortProc record."
>    "The reason Windows 9x is not vulnerable to a "Critical" 
>    attack vector is because an additional step exists in the Win9x 
>    platform: When not printing to a printer, applications will 
>    simply never process the SetAbortProc record."
> This blog entry raises a number of important questions about Microsoft's
> policy for handling security flaws in the Windows operating system:
>    1.  Given the obvious dangers with SetAbortProc records, why
>        didn't Microsoft simply disable the feature in the Windows
>        operating system altogether and come up alternate for 
>        aborting printing of WMF files?  Why were all the inadequate 
>        work-arounds in application code pursued instead?
>    2.  How come word about the dangers of the WMF file
>        format did not make it to the Windows NT, 2000, and XP
>        development teams as well as the team responsible for
>        the Picture and FAX viewer?
>    3.  Given the history of problems with WMF files, why
>        hasn't support for them been removed from Internet
>        Explorer?  Also shouldn't WMF files be marked in
>        the registry as not safe-for-downloading?  
> Richard M. Smith
> http://www.ComputerBytesMan.com

More information about the list mailing list