<<< Date Index >>>     <<< Thread Index >>>

Re: Microsoft knew about the WMF flaw for years



Richard M. Smith wrote:
Hi,

Stephen Toulouse writing in a Microsoft security blog has now confirmed that
the Microsoft has known about the WMF flaw for many years:

   Looking at the WMF issue, how did it get there?
   http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx

"The potential danger of this type of metafile record was recognized and some applications (Internet Explorer, notably) will not process any metafile record of type META_ESCAPE, the overall type of the SetAbortProc record."

"The reason Windows 9x is not vulnerable to a "Critical" attack vector is because an additional step exists in the Win9x platform: When not printing to a printer, applications will simply never process the SetAbortProc record."

This blog entry raises a number of important questions about Microsoft's
policy for handling security flaws in the Windows operating system:

   1.  Given the obvious dangers with SetAbortProc records, why
       didn't Microsoft simply disable the feature in the Windows
operating system altogether and come up alternate for aborting printing of WMF files? Why were all the inadequate work-arounds in application code pursued instead?

   2.  How come word about the dangers of the WMF file
       format did not make it to the Windows NT, 2000, and XP
       development teams as well as the team responsible for
       the Picture and FAX viewer?

   3.  Given the history of problems with WMF files, why
       hasn't support for them been removed from Internet
       Explorer?  Also shouldn't WMF files be marked in
the registry as not safe-for-downloading?
Richard M. Smith
http://www.ComputerBytesMan.com

I'll try and answer... naturally, these are only speculations:
Microsoft is a big corporation with completely different smaller "companies" inside of it. Imagine (as in fiction) the VP in charge of the development of Internet Explorer knowing of this vulnerability.

To fix it he needs the cooperation of a completely different department, as well as pass through bureaucracy. Further, he needs to possibly convince people to/of:
- Mess with legacy code written years ago, that currently works.
- Explain a security issue to people who don't really understand what the fuss is all about. - Explain why a feature, put in there by design, was a vulnerability and has to be removed while it so far has been fine, and removing it might just break stuff.
So, in my fiction, he just creates a work-around.

If I was to be a bit more on the paranoid side, I might have said Microsoft didn't want to mess with this. They have enough problems on their hands and look at the above three reasons already provided. So.. they entered it into their secret "security issues to work around in your products" database. :)

As to why this wasn't fix in later versions of products, etc. Maybe it was just something one developer came across, filed, and got lost in paperwork? Maybe it was a mistake? Maybe there knowledge management regarding security wasn't that amazing with Microsoft?

Putting fiction aside, we could be reading too much into what the guy from Microsoft said. Maybe they simple used a different technology and now make PR use of that to help a messy situation?

Whatever the reason was... we are beyond Microsoft bashing on it now. Now... we are on to waiting `till the next time it is unfortunately necessary -- which should be just around the corner.

I really believe Microsoft came a long way since just a few years ago, but they still seem to treat the security community as a "necessary evil" to work with, as well as a PR problem. As long as that doesn't change, I won't expect much from them regardless of efforts made.

        Gadi.