Don't Let Me Stop You

What the heck, you'll do what you want anyway.

Windows Meta File Vulnerability Kerfuffle

Posted by Dan Draney on January 14, 2006

If you operate mainly in the Windows world, you should already have heard about the severe security vulnerability in Windows Meta Files (WMF). As it turns out, this is apparently not a bug; it’s a feature.

A little background will help those who missed the initial story. At the end of December it was discovered that simply displaying doctored graphics files (WMF format) in a browser or email program on a Windows PC could force the PC to execute code embedded in the graphics file. The malicious hackers* who write “malware,” instantly began exploiting this hole at web sites all over the net and with email viruses. Perhaps this had already been going on for awhile before the hole was discovered.

While this sounds almost like one of those email urban legends, this is real and serious. There is now a patch available for the newer versions of Windows from Microsoft. If you are running Windows haven’t patched your system, go directly to the Windows Update page and do so.

That might have been the end of things, except that Microsoft decided not to create any patches for Win 98 / Win 95 users, even though those systems also could be vulnerable. In fact no one is quite sure whether Win 9x is or is not vulnerable to this.** Security “guru,” Steve Gibson, who does the podcast Security Now! with Leo Laporte, pledged on the podcast that if Microsoft did not fix this for Win 9x, then he would.

As Gibson tried to reproduce the exploit so he could prevent it, he found some strange aspects to it. The oddities Gibson found convinced him that the WMF vulnerability had been deliberately introduced. Microsoft had already said that this was not a “buffer overflow” problem, like many previous vulnerabilities. Rather it was a known feature of the WMF format, added in the days before people worried about security issues. These two positions are not necessarily incompatible, but the details of what Gibson found did not seem to make sense except as a “backdoor” designed into Windows. He said on his latest Security Now! podcast (#22), that if it wasn’t supposed to be a backdoor it’s hard to see why it’s there at all.

This, not surprisingly, has generated quite a kerfuffle, with many disputing Gibson’s analysis. Microsoft has denied that this was intended as a backdoor, as they would probably do whether it actually was or not. The comments on that site and this one are pretty lively, with opinions ranging from “Steve Gibson is an idiot” to more reasonable arguments on both sides. Ryan Hornbeck at Always On takes Gibson at his word on the backdoor question, pointing out that unless the code is open source one can never tell what the developers’ intentions were.

As we write this, Gibson’s site is apparently down. Whether that’s from the heavy load generated from this topic, some DoS attack by the We Hate Gibson Crowd, random internet problems, or the workings of The Great Satan (Microsoft), we may never know. While we’re waiting for to come back up, you might want to download the podcast (available from iTunes and others).

We agree with comments on the linked sites that one should not attibute malice to a situation that can be explained by incompetence. Consequently, we remain skeptical of the claim that this feature is designed by Microsoft as a backdoor. We know a lot less about security than Gibson (however much that is), and we do enjoy his podcasts, so we’ll see how this shakes out.

* We note that the term “hacker” does not necessarily imply the person doing the hacking is up to no good, although that is the way the general public tends to think of it these days.
** Microsoft now says that Win 9x systems will not execute the code in the WMF, FWIW.

Update: Dwight at TechBlog comes to a similar conclusion, and he has some additional background info about Gibson.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: