RE: Steve Gibson smokes crack?

["Peter Ferrie" <pferrie () symantec com>]

> > The file must not begin with the placeable (aka Aldus) meta file
> > header.  If it does begin with that, then the function is ignored,
> > and Windows continues to parse the file.
> > This is why Windows 9x, NT, and 2000, do not execute anything from
> > within Internet Explorer, for example - they do not support WMF
> > files without the Aldus header.
>
> Ahh, perfect!  Thanks Peter that clears up a lot for me.  In fact does
> this also infer that all you need is a "crapped" up pluggable viewer
> for IE on Windows 9x, etc. to exploit this flaw on one of those O/Ss?
 
Yes, that's all you need.  The functionality is all there, there's
just no default method to trigger it.

> Does this further indicate that Office 98 and other M$ Office versions
> that run on the ealier O/Ss and support the WMF mapping are
> 'vulnerable' to exploitation - still ?

That one remains unclear, since it depends on how the device context
is created for displaying the file.  Office might treat embedded WMF
files as though they are placeable, in which case it's not vulnerable.
I haven't had time yet to investigate.
 
8^) p.
 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/