Explaining the WMF Vulnerability

by Ken Porter

This past week I have been asked to explain the WMF Vulnerability several times, and in most cases the question has been asked in a way that is similar to Joe's question in a previous vowe.net thread.

How exactly would one explain this vulnerability in this graphics rendering engine to a non computer literate person?

Here is how I have been explaining the WMF vulnerability in non-techie language.

The problem exists with Microsoft Windows and the way it displays a certain type of graphics file called a WMF file. A WMF file can contain two types of data, data about the graphic itself, and data which contains a computer program. The idea behind putting a computer program in a graphic file is if Microsoft Windows encounters a problem displaying a particular graphic, it can run the computer program in the file to figure out how to handle the error condition.

This 'feature' has been in Windows for quite a while, and was written into Windows at a time when security was not as big a concern as it now is. It has now become a problem because some people have discovered they can use these WMF files to install virus code on a Windows machine. What they do is create a WMF file with an intentional error in the graphic part of the file, and then write a computer program in the second part of the WMF file which installs a computer virus of their choice. That in a nutshell is the WMF vulnerability.

Want more information? Here are some additional slightly techie things about this WMF problem.

It would be incorrect to call the WMF vulnerability a virus. Instead, it is a 'feature' of Windows that provides a back door method for someone else to generate a graphic file that will install viruses. The end result is the same, so this distinction really doesn't matter to most people. It still represents a problem that Microsoft has to fix.

The other slightly techie thing to highlight about this problem is the program in the WMF file runs with the same privleges as the process that is displaying the graphic. This is a big problem because most home machines running Windows XP for example, run with administrator privileges on that machine which gives the WMF program full access to the machine. This is very dangerous.

The good news is the Ilfak patch described in this vowe.net thread, as well as the official Microsoft update that was released Thursday, both fix the problem by disabling the error code processing within these WMF files. I am not familiar with a situation where you would need this type of functionality, but I have heard of a few reports that some really old printers have stopped working once the WMF vulnerability was corrected. It sounds like the printer driver somehow makes use of this WMF 'feature' but I have no first hand experience with this.


Are you kidding? I presumed it was yet another buffer overflow.

This, IMHO, is a bigger story than the vulnerability itself. It's been four years, I think, since Bill Gates announced the "Trustworthy Computing" initiative and said that security was Microsoft's highest priority. Four years, and hundreds of incredibly smart people on the task, and nobody realized that this feature was was a really bad idea. Surely that means that nobody has reviewed this feature in all that time, because even a cursory security review would surely have found the problem -- and that's scary. I can understand that coding mistakes happen even when security is the top priority, but not completing reviews of old designs within four years... that's inexcusable.

Richard Schwartz, 2006-01-07

What I find even more amazing is that it's taken both the black hat and white hat hacker community so long to find this. I'm no longer using Windows, so I don't know: How well can one work with a non-admin user (with regards to using/installing software and so on)?

Stefan Tilkov, 2006-01-07

> How well can one work with a non-admin user (with regards to using/installing software and so on)?

Simply put: you can't. However, this is depends on many factors and some people - especially in the IT admin community - would argue that this is a feature. Also, it's got a lot to do with the software you intend on using.

The best example I can come up with is my daughters computer. Obviously her account doesn't have any admin rights. The result is that every so often I end up installing kid games for her because many of these *require* admin rights to get installed. What they need admin rights for is beyond me. But it doesn't stop there. HP for example decided that to use their USB scanners you have to have admin rights to install the software. In general, this wouldn't be a problem for you install the software as admin and let your users scan whatever they want to scan. But not with HP. For HP doesn't give you the option to "Install the software for every user" - which is a standard feature of Windows - you have to install the software once for every single account that later on shall be able to scan. As the installation itself requires admin rights you have to first put all the users into the admin group, install the software (one run for every user!), then revert the user rights back to normal - and pray that you didn't forget one.

To sum it up: in theory, you *could* use Windows without admin privileges. But as it seems software QA is mostly done as admin and thus you can find a whole lot of products behaving like the HP software and the Kids Games above. So it's (for once) not Windows but the software vendors creating support hell for admins there.

Stefan Rubner, 2006-01-07

@Rich - you haven't been reading my blog, have you?

Chris Linfoot, 2006-01-07

@Chris: ep. You're right. I didn't read that far into that post. I should have.Y

Richard Schwartz, 2006-01-07

Old vowe.net archive pages

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.


Paypal vowe