Microsoft was aware of the WMF vulnerability “for years”



Bugtraq has an interesting post which picks up on a note in Stephen Toulouse’s latest entry on the WMF vulnerability. When I first read the post I was more interested in the way he was responding to allegations of the flaw being an intentional backdoor, but the above bugtraq post points out and makes points on an implication that I missed….. (emphasis is mine…)

“The potential danger of this type of metafile record was
recognized
and some applications (Internet Explorer, notably)
will not process any metafile record of type META_ESCAPE,
the overall type of the SetAbortProc record.”


So, if it’s a potential danger – why hasn’t it been a policy across all applications and not just Internet Explorer?….

Anyway, the post, by Richard M. Smith makes some interesting points…

1. Given the obvious dangers with SetAbortProc records, why
didn’t Microsoft simply disable the feature in the Windows
operating system altogether and come up alternate for
aborting printing of WMF files? Why were all the inadequate
work-arounds in application code pursued instead?

2. How come word about the dangers of the WMF file
format did not make it to the Windows NT, 2000, and XP
development teams as well as the team responsible for
the Picture and FAX viewer?

3. Given the history of problems with WMF files, why
hasn’t support for them been removed from Internet
Explorer? Also shouldn’t WMF files be marked in
the registry as not safe-for-downloading?

What’s worrisome of course, is we KNOW about this one now, I wonder how many things like this are out there that we aren’t yet publicly aware of. This is again, a real problem with the closed source approach, you’re relying on information to stay secret that’s in a product that is widely available… or at least hope that the makers of the product are aware of AND FIX any vulnerabilities before it’s widely known.

What this says to me is that Microsoft, being aware of the “potential danger” COULD have patched this a long time ago. They probably chose not to, as they do with many issues because, it was “not actively being exploited”.

How many other areas does Microsoft see “potential dangers” in that they don’t publicly talking about?

What really gets under my skin about this is finding this out not far on the heels of all the articles that I read about “Windows more secure than Linux” and the ummm…. various interpretations of US-CERT’s vulnerability announcements. I’ve seen the bug reports of many Linux security vulnerabilities, read the mailing list discussions, etc. etc. and by and large when ANYONE says, “you know this….. could be a problem, someone MAY be able to find a way to use this to run code| escalate privilige| crash a system|etc…” it is taken VERY seriously. I can’t think of one security bug that I’ve seen an open source developer say, “well…. no one seems to be exploiting it, so we’ll just leave it there….” They usually do a patch to fix it and move on (after releasing a notice for everyone to step up to the newest maintenance version….) /vent…

Related Posts

Blog Traffic Exchange Related Posts
  • Microsoft sued over software flaw A South Korean man claims that Microsoft hid information about a flaw in Windows and has filed suit against the Operating System maker. Jang Young-ha, 47, filed the lawsuit against Microsoft with the Suwon District Court on charges of deception, accusing the US software giant of selling the flawed program......
  • F-Secure patches security vulnerabilities I've seen several reports on F-Secure's security bulletin about a code execution vulnerability. The announcement on the f-secure blog mentions that it affects several versions of their products on Windows and Linux. They're not currently aware of any attacks, but suggest patching pre-emptively. They also give a thanks to the......
  • Nugache the latest in bot-net technology... and why you should care about botnets... To show you where the threat with bot networks is going there's a story today on Nugache (Symantec summary) which is a bot that takes advantage of a number of clever tricks to avoid having the whole bot net shut down, allow command and control on an encrypted channel and......
Blog Traffic Exchange Related Websites
  • Money's 7 New Rules of Financial Security (Part 1) Money Magazine's big headline this month is the 7 New Rules of Financial Security... and Why You Need to Know Them. I have to admit it's a pretty sweet headline - it certainly caught my eye. I flipped right to page 50 to see what I needed to know why.......
  • World Wide Web Security Essentials Is Not A Real Spyware Remover. It Resembles The Functions And Looks World wide web Security Essentials is not a real spyware remover. It resembles the functions and looks of genuine spyware removal software but has no capacity to eliminate any virus, trojan or malware. Web Security Essentials is the newest addition to the growing list of rogue Antivirus programs. Internet Security......
  • Links: Is Waldo and Harry Potter The Same Person? Ever notice that Where's Waldo and Harry Potter had striking similarities? Both characters were created by British authors, (Waldo is actually the US version of the original Wally). Both were featured in children's books, but had their audience to adults expand to a point where they had sold billions of......
PDF24    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site