RE: Re[4]: Ilfak's WMF patch

["Richard M. Smith" <rms () computerbytesman com>]

Ilfak,

First off, thanks for putting this .WMF patch together.  It's very useful.

I also have a technical question about .WMF files.  If a .WMF is directly
displayed by Internet Explorer using an <img src=> tag, why isn't the
SETABORT escape sequence being executed?  Is IE filtering out these escape
sequences already?

Richard

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
Behalf Of Ilfak Guilfanov
Sent: Monday, January 02, 2006 8:28 AM
To: funsec () linuxbox org
Subject: Re[4]: [funsec] Ilfak's WMF patch


Monday, January 2, 2006, 1:49:58 PM, you wrote:

LS> Have you considered whether Windows EMF files, the 32-bit metafile 
LS> version, might also be vulnerable? I suspect if they were we would 
LS> have heard by now, but there are so many similarities in the formats
LS> (http://wvware.sourceforge.net/caolan/ora-wmf.html)

It is very unlikely that EMF files are vulnerable (at least not in the the
same way as WMF files). While EMF and WMF serve the same purpose, their
designs are completely different: the file header, record types, and the
functionality apparently have been redesigned from the scratch.

OTOH, EMF is still a sequence of instructions to GDI. If there is a problem
with a GDI function, it can be exploited by a special EMF file but I
personally doubt there is any.

--
Best regards,
 Ilfak                            mailto:ig () datarescue be

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.