New Year, New Vulnerabilities
2 January 2006 in Code-ing & Security | Comments enabled
This new year started off in great fashion, with a new vulnerability discovered in Microsoft Windows that affects every computer out there and is ridiculously simple to use. The bug in WMF-files is that the file format itself allows code to be executed on all computers running Microsoft Windows. The best part of the bug is that it is a feature from way back in Windows 3.0 (1990)! 
According to F-Secure’s weblog:
The feature now in the limelight is known as the Escape() function and especially the SetAbortProc subfunction. This function was designed to be called by Windows if a print job needed to be canceled during spooling.
This really means two things:
1) There are probably other vulnerable functions in WMF files in addition to SetAbortProc
2) This bug seems to affect all versions of Windows, starting from Windows 3.0 - shipped in 1990!
The (Unofficial) Fix
The fix to this security hole is already available, but not from Microsoft but from the author of IDA, Ilfak Guilfanov. Here is a link to an installer of the unofficial patch:
http://www.hexblog.com/security/files/wmffix_hexblog13.exe
I have downloaded and installed the patches, just to be safe when I’ve gotten Google Desktop running. FYI: Google Desktop will be indexing and thus run any malicious code in WMF-files that you view in a browser or get via email, so you better disable indexing (in GD preferences), uninstall Google Desktop (recommended by F-Secure) or install the patch ASAP.
Leave a Comment