1/2/2006

WMF Flaw Is Not A Bug, It’s A Feature

Filed under: — Aviran Mordo

What exactly is going wrong with the WMF vulnerability?

Turns out this is not really a bug, it’s just bad design. Design from another era.

When Windows Metafiles were designed in late 1980s, a feature was included that allowed the image files to contain actual code. This code would be executed via a callback in special situations. This was not a bug; this was something which was needed at the time.

The feature now in the limelight is known as the Escape() function and especially the SetAbortProc subfunction.

This function was designed to be called by Windows if a print job needed to be canceled during spooling.

This really means two things:
1) There are probably other vulnerable functions in WMF files in addition to SetAbortProc
2) This bug seems to affect all versions of Windows, starting from Windows 3.0 - shipped in 1990!

“The WMF vulnerability” probably affects more computers than any other security vulnerability, ever.

Source: F-Secure

New High Quality Temporary WMF Vulnerability Fix

Filed under: — Aviran Mordo

Ilfak Guilfanov, well known in “reverse engineering” circles for his wildly popular IDA Disassembler, needed a temporary patch for his own system due to the seriousness of the WMF vulnerability . . . so he wrote one!

This safely and “dynamically patches” the vulnerable function in Windows to neuter it and, after rebooting, renders any Windows 2000, XP, 64-bit XP and 2003 systems completely invulnerable to exploitation of the Windows Metafile vulnerability.

Please Note: Unlike the “DLL unregister” recommendation offered by Microsoft (see RED box below) Ilfak’s patch completely eliminates the vulnerability. Therefore, until Microsoft is able to update and repair their vulnerable GDI32.DLL, this is what you should use. You do NOT need to unregister the DLL as described in the RED box below.

You SHOULD REMOVE THIS PATCH to restore full functionality to Windows Metafile processing once WIndows has been officially updated and repaired.

To Remove: Simply open the Windows Control Panel “Add/Remove Programs”, where you will find the “Windows WMF Metafile Vulnerability HotFix” listed. Remove it, then reboot.

Download Ilfak’s Temporary WMF Patch
291 kb — for Windows 2000, XP, 64-bit XP and 2003 server

Source: Security Now

Microsoft Released Virtual CD-ROM Free Utility

Filed under: — Aviran Mordo

Microsoft released Virtual CD-ROM Control Panel v2.0.1.1, a utility for Windows XP that allows you to create a virtual CD-ROM drive on your computer. This is especially helpful if you have a library of ISO images. If you are a Virtual PC fan, this utility will come in very handy considering you cannot use DVD ISO images within the Virtual PC software.

Source: techrepublic

Powered by WordPress