Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Windows Operating Systems Software Security

Two New WMF Bugs Found 127

Resident Egoist writes "Via PCWorld the news that two new Metafile bugs have been found, just a week after the patching of previous critical WMF issues." From the article: "All three flaws concern the way Windows renders images in the Windows Metafile (WMF) format used by some CAD (computer-aided design) applications, but these latest flaws are far less serious than the vulnerability that Microsoft patched last week, according to security experts. That vulnerability was serious enough to cause Microsoft to take the unusual step of releasing an early patch for the problem, ahead of its monthly security software update."
This discussion has been archived. No new comments can be posted.

Two New WMF Bugs Found

Comments Filter:
  • by Anonymous Coward on Tuesday January 10, 2006 @05:55PM (#14441081)
    It's going to be tough on them, but they really hope that windows can surpass the number of vulnerablities in unix/linux.
  • Non-critical (Score:4, Informative)

    by rodgster ( 671476 ) * <rodgster@y[ ]o.com ['aho' in gap]> on Tuesday January 10, 2006 @05:56PM (#14441091) Journal
    MS: These new WMF bugs are considered non-critical and a patch will be released during the normal patch release schedule (aka Feb 14).

    In other news, Ullrich's quote in TFA was hilarious.
    • Re:Non-critical (Score:1, Informative)

      by Anonymous Coward
      He, he, and Sony PSP 2.00 was hacked by another vulnerability (in libtiff) that also wasn't considered critical enough by Sony. Image formats are very complex creatures, metafile formats doubly so.
    • MS: These new WMF bugs are considered non-critical and a patch will be released during the normal patch release schedule (aka Feb 14).
      Translation: Please expedite your development schedule and release attacks tailed to said flaws prior to next patch release schedule.
  • I normally don't take that much notice of the various security announcements, because most people cause their own trouble on the internet through their mode of behaviour. These news reports really are starting to make me wonder what other holes there are in Microsoft products.
    • As TFA says, these vulnerabilities just cause things to crash. The other holes in microsoft products are what they used to patch regularly so far, this is no reason to think they're all as secure as a sieve.
      • by mpeg4codec ( 581587 ) on Tuesday January 10, 2006 @06:08PM (#14441215) Homepage
        Typically it's unusual to see ``just a crash.'' Most programmes written in C and C++ crash due to buffer overflows, which frequently lead to running unsigned code. As a general rule, if a C or C++ code crashes, it is a fairly likely possibility to be able to run arbitrary code. Just because nobody's done it yet doesn't mean that it's not possible.
        • by Anonymous Coward
          The bugs demonstrated here are not buffer overflows. They are the other kind of common C/C++ bug, namely an invalid (in this case NULL) pointer dereference. Null pointer dereferencing bugs are rarely exploitable.
          • Typically it's unusual to see ``just a crash.'' Most programmes written in C and C++ crash due to buffer overflows, which frequently lead to running unsigned code. As a general rule, if a C or C++ code crashes, it is a fairly likely possibility to be able to run arbitrary code. Just because nobody's done it yet doesn't mean that it's not possible.

            If you actually code for a living you should stop right now. (living or coding, either way works for me).

            The bugs demonstrated here are not buffer overflows. They
        • by myrdred ( 597891 ) on Tuesday January 10, 2006 @06:47PM (#14441578)
          It really depends on the type of crash, and I'm not it's safe to jump to your conclusion so eagerly. In fact, many crashes in C programs CANNOT lead to execution of arbirtrary code, such as division by zero errors and trying to access memory with a NULL pointer.
          • ...unless part of your exploit involves somehow setting up the SIGFPE (div-by-zero) or SIGSEGV (NULL-ptr-dereference) handler to run your code. But, then, that'd take exploiting TWO bugs.
        • Most programmes written in C and C++ crash due to buffer overflows, which frequently lead to running unsigned code. /JOKE

          Well, I'm glad I use PHP [php.net] so that I don't have any of those nasty, security problems! /SERIOUSLY

          It's kinda funny - things like buffer overflows just don't really happen in PHP (at least, in the PHP code, a few have been found in the C code in which PHP itself is written) but there are still a slew of security issues. A few I end up thinking about most:

          1) SQL-Injection. This can be handle
          • the reasons you don't see the problems you mention associated with C is the fact that many php (substitute other scripting language if you wish) "programmers" would never get anywhere with C in the first place.

            with the exception of uninitialised variables (which can happen in C but is more likely to happen in php due to its lack of required declaration) all of theese are things that affect poor programmers working in any language.
        • Most programs written in C/C++ crash due to invalid memory access, usually resulting from following bad pointers. Crashes from buffer overflows are rare by comparison.
    • I've been watching the bugtraq list via rss like I do every day. There have been (guessing) ~30 updates today and this one is no more earthshatteringly critical than any other. So why is this news and the others didn't make slashdot? The answer is in TFA: (emphasis mine)

      Cooper says that the new WMF vulnerabilities are not a major cause for concern. "New malformed images that simply crash things aren't really that important unless they can be shown to cause code to execute," he said via instant message.

  • So Microsoft poo-poos [informationweek.com] the bugs. Not an issue, overblown, won't affect anybody.

    Andy Grove could advise them [informationweek.com] on how not to handle such situations.

    please tell me one of the bugs is not a bee, we're still sorting it out. [slashdot.org]

  • "unusual"? (Score:1, Insightful)

    by ummit ( 248909 )
    That vulnerability was serious enough to cause Microsoft to take the unusual step of releasing an early patch...

    What's so unusual about that? (Seriously, it seems to happen every few months.)

    • It's unusual because Microsoft ALWAYS releases patches on thursdays. People has been asked for years to release them as soon as they're ready, and this time they had to release them sooner, because there were too many risks. The WMF vulnerability has been indeed unusual.
  • "Hacker" (Score:5, Insightful)

    by mysqlrocks ( 783488 ) on Tuesday January 10, 2006 @05:59PM (#14441130) Homepage Journal
    ...a hacker has published details of two new flaws that affect the same part of the operating system.

    If you read the post on the security mailing list it sounds like someone trying to get this vulnerability out in the open so it can be fixed. Unless they mean a "white hat" hacker or a hacker in the real sense of the word but I doubt it. This is one of those words that should be used carefully, especially by "journalists".
    • Re:"Hacker" (Score:5, Insightful)

      by Krach42 ( 227798 ) on Tuesday January 10, 2006 @06:13PM (#14441266) Homepage Journal
      If you read the post on the security mailing list it sounds like someone trying to get this vulnerability out in the open so it can be fixed. Unless they mean a "white hat" hacker or a hacker in the real sense of the word but I doubt it. This is one of those words that should be used carefully, especially by "journalists".

      This is a good point. A "black hat" hacker does not disclose bugs, but rather keeps them quiet or shares them with select friends, and peers.

      A person releasing this information to a security list is either a concerned "citizen", or a security person.

      A citizen posting information to a newspaper editorial about lack of security at the courthouse, for instance "I was at the courthouse, and there was a side door that wasn't being watched at all by anyone!" wouldn't get immediately marked as a terrorist.

      Why should we automatically mark a person disclosing computer-security information to the public as a whole, as a hacker?
      • Well, we can at least partially thank the great O'Reilly Hacks series for de-criminalizing the word.
        One wonders if a sufficient population of Hacks tomes in the market will convince people that emancipation from Redmond is possible...
        • Re:"Hacker" (Score:3, Funny)

          by Krach42 ( 227798 )
          Call me a cinic, but I just can't read that and believe that the decriminized word "hacker" were the intentions of the author. Also, I am highly sceptical that most people reading the text would not immediately assume "black hat" hacker.

          I even read it that way.
      • Why should we automatically mark a person disclosing computer-security information to the public as a whole, as a hacker?

        Because once a bug has been found, it needs to be fixed, and that costs the developer money. The bug being made public also hurts the developers reputation. Therefore, it is in developers best interest to try to keep the bugs from being made public, by, for example, suing and badmouthing the person who found it.

        Just another example of enlightened self-interest and shareholder value

  • but wait did the MS apologist not say that the 8 day delay between exploit and patch was because MS needed to test the patch completely and make sure it worked fully?

    oh this does not count as it was a different problem and can't be exploited (yet) and just because it is in the same code I am a meanie for thinking MS should have fixed WMF once and for all?

    8 days should have been enough time for MS to completly check the code involved and use every attack possible. The fact that MS obviously hasn't bothered

    • by RingDev ( 879105 ) on Tuesday January 10, 2006 @06:20PM (#14441330) Homepage Journal
      "8 days should have been enough time for MS to completly check the code involved and use every attack possible."

      Yes becuase breaking hundreds of people off their regular duties, tracking down 10 year old code written by someone who either doesn't remember writing it or no longer works there, correcting the code in a way that prevents the exploit, but doesn't impact functionality, testing the correction on all supported versions of windows, numerous hardware configurations, and against dozens of 3rd party software packages that use the library, then documenting the problem, the change, and the disimination of the change, then getting the whole thing wrapped up into a nice neat deployment package, is easy.

      Yeah, I can see how 8 days is slacking.

      Try reading this article: http://blogs.msdn.com/ericlippert/archive/2003/10/ 28/53298.aspx [msdn.com] "How many MS Employees to change a light bulb?"

      -Rick

      -Rick
      • That's all well and good, but they seem to be skipping steps 6 and 7:
        • At least one dev, tester and PM to brainstorm security vulnerabilities.
        • One PM to add the security model to the specification.


        But maybe if they had been doing those in the first place they wouldn't be patching it now.
        • But maybe if they had been doing those in the first place they wouldn't be patching it now.

          Have you ever worked on a large software project? No matter what you do, if your code is large, complex, and used extensively, there will be security flaws that need patching. There is no process or technique that can provide the same level of testing as 600 million users and (at least) several thousand individuals working to break your product.

          Indeed, security vunerabilities have dropped in severity and number with M
      • Yes becuase breaking hundreds of people off their regular duties

        Actually, given MS' scope and resources I fully expect them to have a staff whose regular duties consist solely of fixing these types of problems.

      • So Microsoft doesn't have programmers that work full-time as code auditors? It's not like they don't have the resources. I know that reading someone else's code can be difficult, but if you're documenting your code and modularizing it properly, which Microsoft should be doing anyway, it shouldn't be like pulling teeth.

        What it really boils down to is that Microsoft isn't in the business of writing quality code. Their goal is to pump out code that is good enough to maximize profits. This is why Free Sof

        • I know that reading someone else's code can be difficult, but if you're documenting your code and modularizing it properly, which Microsoft should be doing anyway, it shouldn't be like pulling teeth.
          you obviously never read any of the leaked win2k source code

          seeing is believing
      • couldn't they do a bit of overtime or something. maybe shorter lunch breaks until this is fixed.
      • > Yes becuase breaking hundreds of people off their regular duties, tracking down 10 year old code written by someone who either doesn't remember writing it or no longer works there, correcting the code in a way that prevents the exploit, but doesn't impact functionality, testing the correction on all supported versions of windows, numerous hardware configurations, and against dozens of 3rd party software packages that use the library, then documenting the problem, the change, and the disimination of the
      • tracking down 10 year old code written by someone who either doesn't remember writing it or no longer works there,

        Tracking the code down should be no problem. They know what function in what dll it was - how hard is it to find the code for it?

        correcting the code in a way that prevents the exploit, but doesn't impact functionality,

        Shouldn't take more than a day. Two, tops.

        testing the correction on all supported versions of windows, numerous hardware configurations, and against dozens of 3rd party softwa

    • by edwdig ( 47888 ) on Tuesday January 10, 2006 @06:21PM (#14441341)
      8 days should have been enough time for MS to completly check the code involved and use every attack possible. The fact that MS obviously hasn't bothered shows they still don't understand security. OF course hackers are going to try to find new exploits in WMF code since they know MS and that if there is one bug there must be others.

      Most of the 8 days wasn't spent checking that the exploit was fixed. I'm sure that part went fairly quickly. The real issue is that although WMF files are fairly rare, the WMF format is used extensively inside Windows. The feature in question is only a security issue when found in arbitrary WMF files, but serves a legit purposes when used inside of applications. The 3rd party fix floating around broke some printer drivers and probably other software, whereas Microsoft's fix resulted in less (if any) broken software. The bulk of the time was spent testing the fix for unexpected consequences.
      • Bug Fix Issues (Score:3, Interesting)

        by HopeOS ( 74340 )
        One of our developers applied the Microsoft fix (along with ten others) this morning. He can no longer debug multi-threaded code in MSDev version 6.0. Stopping on a break point in any thread other than the main thread locks the GUI for all processes. At this point, we are testing if this is isolated to MSDev version 6 or all debuggers. We also do not know which of the ten or so patches was responsible. I would be interested to know if anyone else encounters this. At this point, our developer will be r
      • interesting
        then how is it possible MS
        decided to release the patch 5 days earlier than they saidd they would
        That day of the month
        Patch Day



        wouldnt be they were sitting it on ice waiting for patch day
        but released it early due to public backlash
  • by Skiron ( 735617 ) on Tuesday January 10, 2006 @06:10PM (#14441243)
    ... what a fucking mess.
  • Name the Culprits (Score:4, Insightful)

    by Nom du Keyboard ( 633989 ) on Tuesday January 10, 2006 @06:13PM (#14441263)
    Why aren't the programmers that worked on any given buggy module ever named? If you faced public ridicule and loss of reputation for releasing exploitable code you might be more careful about what you certify as ready to ship.
    • by wellybog ( 933647 ) on Tuesday January 10, 2006 @06:22PM (#14441343) Homepage Journal

      Speaking as a professional software developer, I have a manager for exactly this reason - if we f*ck up (for whatever reason, but usually because deadlines mean testing doesn't happen), the project manager gets the blame.

      In a perfect world software developers unit test their code, and then testers run through a test plan that was written before development began. Unfortunately we don't live in a perfect world - which is why ideas like "extreme programming" came about.

    • No until they pay royalties to the programmer, that's for sure.
    • Why aren't the programmers that worked on any given buggy module ever named?

      Do you know how many people that would be for WMF? It's been around as a file format almost 20 years. I bet there's at least a hundred people who have touched the MS WMF parsing code. Find who whote the exploitable lines of code you say? Fine, spend the time going back through that 20 years of versioning to blame someone for code they probably wrote over a decade ago - a process that would take longer than patching the exploit. Th

    • by blahtree ( 55190 ) on Tuesday January 10, 2006 @08:18PM (#14442223)
      You have obviously never worked in professional software development.

      Software is developed by a team. No, not a team of programmers, but a team of people that may include architects, designers, UI designers, programmers, integrators, testers at various levels, management and marketing. This list changes in different environments. Often smaller, but sometimes larger.

      When a bug is found, who is responsible? Is it the programmer? Is it the tester that missed the bug? Is this "bug" actually a feature requested by marketing? Is this bug the result of mis-design? Was this bug either ignored or not found because of insufficient time allotted by management?

      It's easy to point fingers, but how do you decide who to point them at?
    • This code was written at a time where security in the Windows world wasn't a true concern. Reasons:

      1- Viruses didn't need vulnerabilities such as this one to run since most people didn't have antivirus software and would execute any program they got from anyone.

      2- Knowledge about security wasn't as widespread as it is now.

      So should they blame the original developers of the WMF code or the people who decided to use their code in new windows versions without having it reviewed?
    • The WMF format was created for windows 3.1, they may not work at microsoft anymore.

      And the WMF "vulnerability" was NOT a vulnerability. It was a feature (you could attach executable code in the WMF for some reason, yes). Of course it was created when there was no internet, but it was a feature and it might have been a useful feature at that time.

      • The distinction between feature and vunerability is fuzzy. The fact that Windows XP ships with a blank administrator password is a feature too. Many home users find passwords bothersome. But the feature making the machine vunerable to administrator level access with no password is a vunerability. The code placed in the Sony rootkit remover that allowed the web browser to execute arbitrary code remotely was a feature too. But the fact that it could be used to run arbitrary code was also a vunerability.
  • by chill ( 34294 ) on Tuesday January 10, 2006 @06:13PM (#14441268) Journal
    ...if Microsoft had had the extra time and not released the patch until they considered it "fully tested", would they have caught these bugs as well?

    Knowing that the WMF code is now under the microscope, will they divert resources to specifically re-vet that code, or will they sit on their rear ends and wait until another exploit is found for them?

    As a tidbit of information, I have "converted" three of my neighbors to Linux -- at least dual booting, if not whole penguin -- in the last two months. Each time was at their request and for the exact same reason. Their Windows PC regularly gets trashed by spyware, viruses and worms and they've just damn well had enough in having to deal with it all. They want to get their work done, not fight with malware and have to upgrade machines because their old one isn't powerful enough to run their apps AND all the "keep me safe" software.

      -Charles
    • I may get owned by other /.ers here but, If your windows box gets beaten to crap by spyware, malware, etc, you have to be doing something wrong. I use firefox with noscript and adblock on my home windows machine. I surf the web, but generally not to www.trytohackmywindowsboxhahaha.com - I browse to reputable websites only. That being said, I run a virus scan "every once in awhile" and always pat myself on the back when 0 files are detecetd as viri, spyware, malware, or any of that other crap. The wors
      • For the people who I converted to dual-boot systems, that is basically what I did for their Windows side. I added Firefox with a half-dozen extensions including Adblock and the FilterSet.G updater; made sure their AV was up-to-date and configured to update itself nightly; made sure they had anti-spyware software installed and configured; etc.

        You're right, they were all doing something "wrong". They all had virused .exe attachments in their mailbox sent by "friends"; they all had visits to "questionable" w
        • "have to upgrade machines because their old one isn't powerful enough to run their apps AND all the "keep me safe" software."

          So did you talk them into upgrading? I find loading up anything good on an old box is a noticable slowdown :(

          Actually have the same problem at office, i cant run the AV/Firewall and actually use our main program at the same time :( The program we need will run on anything but still need windows/IE for a couple programs. However the AV/firewalls i tried absolutely hate the terminal emu
          • So did you talk them into upgrading? I find loading up anything good on an old box is a noticable slowdown :(

            I almost always convinced them to install more RAM. Many of the machines were an anemic 128 Mb of RAM. Boosting them to 512 Mb made a big difference, Windows or Linux.

            Beyond that, only one person had an old, old machine (350 MHz P-2, 128 Mb RAM Dell Optiplex GX-1) and Slackware 10.2 runs fine on that. It runs absolutely great after I had them upgrade the RAM to 512 Mb. They use it for e-mail, web
          • running Win2K for a brand spanking new AMD64 with more RAM.

            I ran the old thing behind a firewall and got my wife used to OpenOffice, FireFox and Thunderbird so it was pretty safe.

            Performance was pathetic but since the box originally cost me nothing (a 'freebie' with tuition) I figured I was ahead of the game.

            It was XMas, her iTunes had stopped working because of a DLL hell problem, so I bought the new box. (I actually bought 2 boxes, and one is slicing and dicing on slackware Linux and its noticably faster
      • I agree with you 100% gallwapa, in fact I recommend removing Internet Explorer completely. Now you can't get around them using Explorer to surf (unless you invoke the peguin like in the parent thread), but what you can do is my trick I use. Don't make the blue E evil, make it safer. Change the "E" shortcut to use Firefox instead. Most likely, they will barely notice the difference other than not being 0wn3d by some crap ass spyware. But you are right, people can be socially engineered easily especially novi
      • I may get owned by other /.ers here but, If your windows box gets beaten to crap by spyware, malware, etc, you have to be doing something wrong.

        I've heard a lot of people say that. Usually it emerges that their ISP filters things.

        I use firefox with noscript and adblock on my home windows machine.

        So you're the person responsible for having those unintrusive banner ads replaced by cpu-sucking flash ads. Anyway, why should you need to block scripts?

        I surf the web, but generally not to www.trytohackmywindow

        • "I use linux. I have javascript enabled, though I don't let it resize windows or anything else I don't like. I browse wherever I like, without fear, without any real need to be careful."

          What browser do you use though? If it's Mozilla or a derivative (e.g. FireFox) I'd say you should be more careful. Mozilla is probably in the same order of magnitude of bugginess as IE (if not more so - just look at Mozilla's track record). It's just not targetted as much publicly. Just wait till it gains even more marketsha
          • Regarding virtual machines and IE -- My brother, despite me installing firefox and such, still used IE (bastard!) heh. So what I did was grabbed a base windows install VM, then gave him the free VM player so he could surf using the VM. Works like a charm.
          • What browser do you use though? If it's Mozilla or a derivative (e.g. FireFox) I'd say you should be more careful. Mozilla is probably in the same order of magnitude of bugginess as IE (if not more so - just look at Mozilla's track record). It's just not targetted as much publicly. Just wait till it gains even more marketshare.

            Konqueror. I don't trust anything extensible that has to deal with remote content.

            Basically any software that has had a history of crashing can probably be exploited[1].

            Konq doesn'

            • Ah, Konqueror has a much better track record. Heh I've been modded down for saying that Mozilla was insecure, dunno why ;).

              With regards to the google desktop thing, I don't run google desktop myself, the problem is there may be other stuff in the background that go about doing similar things (maybe not on my personal PC but other people's PCs e.g. mom's), and I worry that those processes just might be running with higher privileges than normal restricted user (which I've got mom etc to run as - with no comp
              • With regards to the google desktop thing, I don't run google desktop myself, the problem is there may be other stuff in the background that go about doing similar things (maybe not on my personal PC but other people's PCs e.g. mom's), and I worry that those processes just might be running with higher privileges than normal restricted user (which I've got mom etc to run as - with no complaints so far).

                Good point. I wonder whether XP's indexed search feature could trigger this, if so, ouch.

      • Ummm... No?

        The first one is about a web fonts exploit

        The second has something to do with Microsoft Outlook, Microsoft Exchange, or customers who have the Microsoft Office Multilingual User Interface Packs, Microsoft Multilanguage Packs or Microsoft Office 2003 Language Interface Packs

        both are critical, but only the first one affects Windows. #2 only exploits office/exchange/etc
  • The best part is the response from Lennart Wistrand yesterday on the MS Security Response blog. "As it turns out, these crashes are not exploitable but are instead Windows performance issues that could cause some WMF applications to unexpectedly exit." -- Lennart Wistrand http://blogs.technet.com/msrc/archive/2006/01/09/4 17198.aspx [technet.com]
  • but these latest flaws are far less serious than the vulnerability that Microsoft patched last week, according to security experts This sentence says that according to security experts Microsoft has patched the previous vulnerability. The sentence should read: but these latest flaws are far less serious, according to security experts, than the vulnerability Microsoft patched last week
  • As much fun as it is to lambast Microsoft for this kind of thing, the types of exploit that have been "exposed" recently are very difficult to predict in advance (i.e. use of software features in unexpected ways). It's a little like blaming Boeing for letting their aircraft be flown towards tall buildings...
    • That's why computer programming is difficult, especially security-related computer programming [cam.ac.uk]: you have to deal with people doing unexpected things.
    • As much fun as it is to lambast Microsoft for this kind of thing, the types of exploit that have been "exposed" recently are very difficult to predict in advance

      Oh, do you really believe that it is difficult to predict that failure to check for null pointers in C code might lead to serious problems? Criticizing coding and QC practices that don't measure up to professional standards is hardly facile or unworthy. It's sort of like criticizing rampant fraud, waste, and abuse in our government. Never excuse
  • by this great guy ( 922511 ) on Tuesday January 10, 2006 @06:25PM (#14441385)
  • Wouldn't this make 6 bugs on *nix - two for each of cedega, wine & crossover?

    ... Microsoft will never catch up.
  • Can I just turn WMF handling off entirely? Its not like I ever use it for something useful.

    (Or do I?)

    • You do: it's used internally for a lot of things. Printer drivers, for one, I understand.
      • Which raises the questions: why the hell aren't they using PCL or atleast postscript? My experiences with exporting WMF's from various apps(I think Illustrator, possible PSP), was that it was a god-awful format. I mean if you had like two things overlapped, it would totally screw up. Maybe the print drivers that use WMF do something differently, but I can't imagine why anyone would want to use a printer that used WMF.
        • WMF is (was) use for WYSIWYG printing -- the app can generate the same WMF for both the screen and printing. The driver converts WMF to PostScript or PCL or whatever the printer speaks.
    • They could turn off IE support for WMF which would prevent all the exploits. I don't see any reason why IE should render a WMF file. Make the user download it and click it. If they are stupid enough to do that, they're probably stupid enough to click an .exe or .pif.
    • Actually... (Score:3, Informative)

      by Svartalf ( 2997 )
      WMF is wired into the GDI- it's a GDI playback script is what it really is. This means that printers use it to do the WYSIWYG printing work unless you're using Postscript printing or force the GDI to print to a RAW spool (in which the printer driver renders the print job to the spool as printer commands- which is MUCH more inefficient...).

      Just because you don't think you're using it, doesn't mean Microsoft's not using it for you.
      • Re:Actually... (Score:1, Interesting)

        by Anonymous Coward
        Also, some applications use WMF internally. Both as resources (for static graphical content) and as a cache to avoid repeatedly CPU-intensive graphics operations. My application (an automotive analysis tool) does exactly this sort of thing at times to make the display snappier (and reduce laptop battery consumption).

        Its no different in design to a PICT resource that the Mac toolbox uses (and I'm sure OS X to this day still has an interpreter in it).
        • And there'd been nothing wrong with it, so long as they didn't implement the Escape function. But they DID that one- so it became an unsafe beastie. I'd have patched it so that the code could still fucntion, but if it relied on that one unsafe feature, it'd be broken for you. I'm hoping that is what they did. If so, they did the fix right. If not, shame on them.
  • by Yeechang Lee ( 3429 ) on Tuesday January 10, 2006 @06:38PM (#14441488)
    . . . that any Windows PC used to read this Slashdot story is now infected with a worm that exploits these WMF security holes.

    Darn banner ads!
  • Comment removed (Score:5, Informative)

    by account_deleted ( 4530225 ) on Tuesday January 10, 2006 @06:40PM (#14441502)
    Comment removed based on user account deletion
  • Too little too late? (Score:3, Interesting)

    by xPsi ( 851544 ) on Tuesday January 10, 2006 @06:45PM (#14441567)
    That vulnerability was serious enough to cause Microsoft to take the unusual step of releasing an early patch for the problem, ahead of its monthly security software update.

    But still released many days after independent programmers (e.g. Ilfak Guilfanov [hexblog.com]) managed to build a fix. At work (a national lab), we were explicitly instructed not to wait for the early windows patch.

    • A fix that by all accounts broke some printer drivers - so yeah, the independent programmers built a fix but it was of lower quality. I don't know about you, but where I am printing is kind of important...
  • All you people that wanted Windows to rush out a fix. Take that. Now you see that rushing isn't always the best policy. They just need to take their time and make sure everything works. And, if that means they never actually fix the problem, well so be it. It's better than rushing and then realizing they only scratched the surface of the problem. Because, that's embarassing.
  • by Max Nugget ( 581772 ) on Tuesday January 10, 2006 @09:58PM (#14442839)
    Part of the problem is that MS is reluctant to phase out obsolete technologies.

    Take WMF files for example. Obviously nobody making new software today, would incorporate WMF technology. It's obsolete and unpopular. The only people who use WMF tech today are those who are using software that was designed to make use of that format. And therein lies the problem. At some point in time, software programs were created that used WMF technology. MS could come out and say "WMF is obsolete, and rather than take the risk of continuing to include a software component that may compromise security, we're going to completely remove support for it in future versions of Windows, since barely anybody uses it anyway." If MS were to say that with enough legacy technologies, people would get mad at them. If you're using or writing software for some new technology, you AT LEAST want to take solace in knowing that, even if it's unpopular and discontinued, it will at least remain USABLE on future systems.

    So I can sort of understand MS's pickle from that point of view. It's sort of like users complaining that some security hole in Windows 3.1 has, in 2005, still not been patched. And on the other hand, a whole wave of users would potentially be up in arms if MS decided to, in the name of security, remove support for running old 16-bit Windows 3.1 programs in Windows XP.

    And incidentally, I have a box of clip art CDs in WMF format.

    The same people on this forum who would criticize MS for not patching AND not removing WMF support, probably wish that Windows XP had better support for the old early-mid 90's DOS games. And yet it might be a completely impractical task (not to mention an expensive one given the limited appeal of the feature) to eliminate all of the security risks posed by support for DOS (and, don't forget, back in the DOS era, a virus was more likely to format your hard drive than email your address book).

    Windows may be a feature-driven, compatibility-over-security operating system, but just because we all want security, let's not pretend we don't like features and compatibility.
    • The real solution would be to include WMF support, but disable it. For those 0.014% of people that need it, they or the software package they plan to use can enable it.

      It's not that tough a concept. Linux distros did it a long, long time ago (disabling services by default).
    • The same people on this forum who would criticize MS for not patching AND not removing WMF support, probably wish that Windows XP had better support for the old early-mid 90's DOS games.

      This particular example is not too good; old DOS games work perfectly fine in an x86 emulator like Dosbox.

      • This particular example is not too good; old DOS games work perfectly fine in an x86 emulator like Dosbox.

        There's workarounds, adapters, modifcations, etc, for lots of obsolete technologies. That doesn't help the millions of DOS gamers who aren't savvy enough to download DosBox.

        But perhaps a better example that's similar to the WMF exploit is electrical outlets: Modern consumer electronics have plugs designed to only be compatible with outlets that indicate the proper polarity. They won't fit into older out
        • That doesn't help the millions of DOS gamers who aren't savvy enough to download DosBox.

          Google search for "old dos games" [google.com]. Check out the "essential utilities" link. I also doubt there are really "millions of DOS gamers", especially ones who are running win2k/xp and aren't savvy enough to figure it out.

          If thats too nitpicky:

          These "legacy" adapters are similar to MS's continued inclusion of WMF. They provide some backwards compatibility, at the expense of safety/security.

          These "legacy adapters" don't come wit
          • Google search for "old dos games". Check out the "essential utilities" link. I also doubt there are really "millions of DOS gamers", especially ones who are running win2k/xp and aren't savvy enough to figure it out.

            However many people were buying and playing DOS games in the early-mid 90's, that's how many potential "I want to play DOS games" gamers exist today. I don't know if it's a few hundred thousand or a few million, but I'm guessing it's the latter. Nearly everyone is running Win2k/XP today. You don'
    • The only people who use WMF tech today are those who are using software that was designed to make use of that format.

      If you're going to put it this way, then I can't disagree!

  • And I quote...

    All three flaws concern the way Windows renders images in the Windows Metafile (WMF) format

    Like the last so-called WMF bug, this is not a bug in the format, it is a flaw in a specific renderer (the MS Windows graphics susbsystem, in this case) that supports the format.

    In fact, data does not in general ever contain software bugs. It is in fact the executables that might interpret that data, which contain the bugs. That there may exist datastreams that can exploit vulnerabilities in ex

Children begin by loving their parents. After a time they judge them. Rarely, if ever, do they forgive them. - Oscar Wilde

Working...