Hi,

Stephen Toulouse writing in a Microsoft security blog has now confirmed that
the Microsoft has known about the WMF flaw for many years:

Looking at the WMF issue, how did it get there?
http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx

"The potential danger of this type of metafile record was
recognized and some applications (Internet Explorer, notably)
will not process any metafile record of type META_ESCAPE,
the overall type of the SetAbortProc record."

"The reason Windows 9x is not vulnerable to a "Critical"
attack vector is because an additional step exists in the Win9x
platform: When not printing to a printer, applications will
simply never process the SetAbortProc record."

This blog entry raises a number of important questions about Microsoft's
policy for handling security flaws in the Windows operating system:

1. Given the obvious dangers with SetAbortProc records, why
didn't Microsoft simply disable the feature in the Windows
operating system altogether and come up alternate for
aborting printing of WMF files? Why were all the inadequate
work-arounds in application code pursued instead?

2. How come word about the dangers of the WMF file
format did not make it to the Windows NT, 2000, and XP
development teams as well as the team responsible for
the Picture and FAX viewer?

3. Given the history of problems with WMF files, why
hasn't support for them been removed from Internet
Explorer? Also shouldn't WMF files be marked in
the registry as not safe-for-downloading?

Richard M. Smith
http://www.ComputerBytesMan.com

Richard M. Smith wrote:
> Hi,
>
> Stephen Toulouse writing in a Microsoft security blog has now confirmed that
> the Microsoft has known about the WMF flaw for many years:
>
> Looking at the WMF issue, how did it get there?
> http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx
>
> "The potential danger of this type of metafile record was
> recognized and some applications (Internet Explorer, notably)
> will not process any metafile record of type META_ESCAPE,
> the overall type of the SetAbortProc record."
>
> "The reason Windows 9x is not vulnerable to a "Critical"
> attack vector is because an additional step exists in the Win9x
> platform: When not printing to a printer, applications will
> simply never process the SetAbortProc record."
>
> This blog entry raises a number of important questions about Microsoft's
> policy for handling security flaws in the Windows operating system:
>
> 1. Given the obvious dangers with SetAbortProc records, why
> didn't Microsoft simply disable the feature in the Windows
> operating system altogether and come up alternate for
> aborting printing of WMF files? Why were all the inadequate
> work-arounds in application code pursued instead?
>
> 2. How come word about the dangers of the WMF file
> format did not make it to the Windows NT, 2000, and XP
> development teams as well as the team responsible for
> the Picture and FAX viewer?
>
> 3. Given the history of problems with WMF files, why
> hasn't support for them been removed from Internet
> Explorer? Also shouldn't WMF files be marked in
> the registry as not safe-for-downloading?
>
> Richard M. Smith
> http://www.ComputerBytesMan.com

I'll try and answer... naturally, these are only speculations:
Microsoft is a big corporation with completely different smaller
"companies" inside of it.
Imagine (as in fiction) the VP in charge of the development of Internet
Explorer knowing of this vulnerability.

To fix it he needs the cooperation of a completely different department,
as well as pass through bureaucracy. Further, he needs to possibly
convince people to/of:
- Mess with legacy code written years ago, that currently works.
- Explain a security issue to people who don't really understand what
the fuss is all about.
- Explain why a feature, put in there by design, was a vulnerability and
has to be removed while it so far has been fine, and removing it might
just break stuff.
So, in my fiction, he just creates a work-around.

If I was to be a bit more on the paranoid side, I might have said
Microsoft didn't want to mess with this. They have enough problems on
their hands and look at the above three reasons already provided. So..
they entered it into their secret "security issues to work around in
your products" database. :)

As to why this wasn't fix in later versions of products, etc. Maybe it
was just something one developer came across, filed, and got lost in
paperwork?
Maybe it was a mistake? Maybe there knowledge management regarding
security wasn't that amazing with Microsoft?

Putting fiction aside, we could be reading too much into what the guy
from Microsoft said. Maybe they simple used a different technology and
now make PR use of that to help a messy situation?

Whatever the reason was... we are beyond Microsoft bashing on it now.
Now... we are on to waiting `till the next time it is unfortunately
necessary -- which should be just around the corner.

I really believe Microsoft came a long way since just a few years ago,
but they still seem to treat the security community as a "necessary
evil" to work with, as well as a PR problem. As long as that doesn't
change, I won't expect much from them regardless of efforts made.

Gadi.

Throughout all this discussion, we should not forget that it was not
just Microsoft, but other developers who appear to have implemented
and preserved this same WMF functionality over the years, e.g. Wine.
The problem might have originated with Microsoft's design choices way
back when, but few subsequent WMF implementations seem to have dealt
with this functionality. This is a general challenge with design
flaws, however.

- Steve