funsec mailing list archives

Re: Ilfak's WMF patch v. Microsoft's solution

From: Matthew Murphy <mattmurphy () kc rr com>
Date: Sun, 01 Jan 2006 23:03:43 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Richard M. Smith wrote:

My gut says that the ill-advised ABORTPROC "feature" of .WMF files has no
legit uses and therefore should be killed ASAP.  OTOH, Microsoft's current
alternative of turning off the Windows picture/FAX viewer is much worse.
Microsoft fails to point out that turning off the viewer kills the ability
to view digital photos which is a big deal for many Windows users.


Aside from the fact that it kills some functionality that many users
use, Microsoft's workaround is not very effective.

Disabling Picture and Fax viewer *WILL* protect a default Windows XP PC
with IE installed from being exploited.  However, if the user uses a
different image viewer that will render WMFs as the default viewer for
those (or other similar) types of files, they will get owned.

I'm really concerned that we will see the mother-of-email-worms in the next
week or two before Microsoft releases a patch on Windows update.  I suspect
Microsoft's patch will look a lot like Ilfak's which will simply kill
ABORTPROC.


I don't see the ability to exploit WMFs being a major boost to an e-mail
worm.  For one, WMFs won't be rendered inline (i.e., automatically).
Unless a user is still running an e-mail client that allows IFRAMEs to
be rendered when reading mail, they won't be affected unless they
manually open the attachment.

Other vulnerabilities could have been much worse as far as e-mail worms
are concerned.  We might see a worm, but I highly doubt it would be the
mother-of-all e-mail worms.  That's a little excessive on the hype, IMHO.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDuLQtfp4vUrVETTgRA9frAJ9cGGnXjrWhKYflY86Bwk3PxZ+LlACfbsKA
mNEs79zCMw3+gRSnfG9FOBk=
=FkxG
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: Ilfak's WMF patch, (continued)
- - - Re: Ilfak's WMF patch Valdis . Kletnieks (Jan 01)
    - Re: Ilfak's WMF patch Matthew Murphy (Jan 01)
    - Re[2]: Ilfak's WMF patch Ilfak Guilfanov (Jan 01)
    - Re: Ilfak's WMF patch Matthew Murphy (Jan 01)
    - RE: Re[2]: Ilfak's WMF patch Larry Seltzer (Jan 02)
    - Re[4]: Ilfak's WMF patch Ilfak Guilfanov (Jan 02)
    - RE: Re[4]: Ilfak's WMF patch Richard M. Smith (Jan 02)
    - Re[6]: Ilfak's WMF patch Ilfak Guilfanov (Jan 02)
    - Re: Re[4]: Ilfak's WMF patch Valdis . Kletnieks (Jan 02)
    - Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 01)
    - Re: Ilfak's WMF patch v. Microsoft's solution Matthew Murphy (Jan 01)
    - RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
    - RE: Ilfak's WMF patch v. Microsoft's solution Hank Nussbacher (Jan 02)
    - RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
    - Re: Ilfak's WMF patch v. Microsoft's solution Alex Shipp (elist) (Jan 03)
    - RE: Ilfak's WMF patch v. Microsoft's solution Larry Seltzer (Jan 02)
    - RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
    - RE: Ilfak's WMF patch v. Microsoft's solution Larry Seltzer (Jan 02)
    - Re: Ilfak's WMF patch v. Microsoft's solution Aviram Jenik (Jan 02)
    - RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
    - Re: Ilfak's WMF patch v. Microsoft's solution Matthew Murphy (Jan 02)

(Thread continues...)