Re: Microsoft knew about the WMF flaw for years

[Gadi Evron <ge () linuxbox org>]

Richard M. Smith wrote:
> Hi,
>
> Stephen Toulouse writing in a Microsoft security blog has now confirmed that
> the Microsoft has known about the WMF flaw for many years:
>
>    Looking at the WMF issue, how did it get there?
>    http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx
>
>    "The potential danger of this type of metafile record was 
>    recognized and some applications (Internet Explorer, notably) 
>    will not process any metafile record of type META_ESCAPE, 
>    the overall type of the SetAbortProc record."
>
>    "The reason Windows 9x is not vulnerable to a "Critical" 
>    attack vector is because an additional step exists in the Win9x 
>    platform: When not printing to a printer, applications will 
>    simply never process the SetAbortProc record."
>
> This blog entry raises a number of important questions about Microsoft's
> policy for handling security flaws in the Windows operating system:
>
>    1.  Given the obvious dangers with SetAbortProc records, why
>        didn't Microsoft simply disable the feature in the Windows
>        operating system altogether and come up alternate for 
>        aborting printing of WMF files?  Why were all the inadequate 
>        work-arounds in application code pursued instead?
>
>    2.  How come word about the dangers of the WMF file
>        format did not make it to the Windows NT, 2000, and XP
>        development teams as well as the team responsible for
>        the Picture and FAX viewer?
>
>    3.  Given the history of problems with WMF files, why
>        hasn't support for them been removed from Internet
>        Explorer?  Also shouldn't WMF files be marked in
>        the registry as not safe-for-downloading?  
>
> Richard M. Smith
> http://www.ComputerBytesMan.com

I'll try and answer... naturally, these are only speculations:
Microsoft is a big corporation with completely different smaller 
"companies" inside of it.
Imagine (as in fiction) the VP in charge of the development of Internet 
Explorer knowing of this vulnerability.

To fix it he needs the cooperation of a completely different department, 
as well as pass through bureaucracy. Further, he needs to possibly 
convince people to/of:
- Mess with legacy code written years ago, that currently works.
- Explain a security issue to people who don't really understand what 
the fuss is all about.
- Explain why a feature, put in there by design, was a vulnerability and 
has to be removed while it so far has been fine, and removing it might 
just break stuff.
So, in my fiction, he just creates a work-around.

If I was to be a bit more on the paranoid side, I might have said 
Microsoft didn't want to mess with this. They have enough problems on 
their hands and look at the above three reasons already provided. So.. 
they entered it into their secret "security issues to work around in 
your products" database. :)

As to why this wasn't fix in later versions of products, etc. Maybe it 
was just something one developer came across, filed, and got lost in 
paperwork?
Maybe it was a mistake? Maybe there knowledge management regarding 
security wasn't that amazing with Microsoft?

Putting fiction aside, we could be reading too much into what the guy 
from Microsoft said. Maybe they simple used a different technology and 
now make PR use of that to help a messy situation?

Whatever the reason was... we are beyond Microsoft bashing on it now. 
Now... we are on to waiting `till the next time it is unfortunately 
necessary -- which should be just around the corner.

I really believe Microsoft came a long way since just a few years ago, 
but they still seem to treat the security community as a "necessary 
evil" to work with, as well as a PR problem. As long as that doesn't 
change, I won't expect much from them regardless of efforts made.

        Gadi.