Linked by Thom Holwerda on Wed 4th Jan 2006 22:45 UTC
Windows The saga around the WMF flaw in Windows continues. "A cryptographically signed version of Microsoft's patch for the Windows Metafile vulnerability accidentally leaked onto the Internet late Tuesday, adding a new wrinkle to the company's round-the-clock efforts to stop the flow of malicious exploits. The MSRC (Microsoft Security Response Center) acknowledged that a slip-up caused 'a fast-track, pre-release version of the update' to be posted to a security community site and urged users to 'disregard' the premature update."
Thread beginning with comment 82124
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: ...
by yawntoo on Thu 5th Jan 2006 17:04 UTC in reply to "RE: ..."
Member since:

Here is an answer ;-)

Take this with a grain of salt since I don't work for MS, and don't have visibility into exactly what they have been doing.

As far as I understand, the flaw is in the GDI call Escape(). This means that the pathch will likely need to be to GDI32.DLL and likely WIN32K.SYS. These are low level core components to the Win32 subsystem (the subsystem the most applications and the shell use).

So here is a bit more detail (as I understand it) into the issue:

The GDI framework is an API used to abstract away the details of graphics devices. This API is used to do basic graphics operations on video boards, and printers, and any other "display" device. Abstractions like this hide the details of the hardware from the appilcations programmer. This is a good thing.

The Escape call is a call that lets the application pass various commands to the driver without having to know the details of the driver. Most of the uses of this call are replaced with newer API calls, so this one has been around for quite a while. IIRC the issue here is that WMF files (which are really a set of GDI commands) can also contain Escape calls that will set a callback into arbitrary code (AbortProc). The proper use for this value is for an application to be able to tell the print driver to notify it if the print job has been canceled. However, a callback is a callback, and a malicious coder can make them do all sorts of nastiness.

Now GDI32.DLL is a rather thin library that mostly passes its work to WIN32K.SYS (In NT based systems).

WIN32K.SYS is the kernel mode component of the Win32 Subsystem. It does the real work of Win32. It _is_ Win32.

Any modifications to these libraries, no matter how trivial, could have wide ranging impact. These changes need to be well tested. Since the updated libraries will likely contain the rest of the Win32 API they need to be localized.

The point is that WMF is not so much an image format as it is a GDI scripting language. So the patch needs to be in GDI not in an image format handler.

Reply Parent Score: 2

RE[3]: ...
by Nathan O. on Thu 5th Jan 2006 17:19 in reply to "RE[2]: ..."
Nathan O. Member since:

Oooh. First sentance of your third paragraph foreshadowed the rest of the explanation nicely. Have you considered becoming a novelist? Your explanation was entertaining, thorough (enough), and clear. Thanks!

I guess a GDI scripting language sounded like a pretty good idea back when malware was comparably unknown.

Reply Parent Score: 1