About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Home » Industry Watch

The WMF Flaw

Seasons greetings from Microsoft.

This one's so easy it's not funny. And there's no cure for it either. And it's spreading like wildfire.

And naturally it affect no platform other than Windows©®™.

The WMF 'flaw' has to do with an ability in 'Windows metafiles' to register code that the system will 'call back'. While David Cutler's memory security is otherwise rather tight, things fall apart here in the domain of the 'Undead'.

All a script kiddie has to do is:

  • Acquire some good shell code somewhere.
  • Create a metafile and tack the shell code on the back of it.
  • Register the shell code as a 'callback' inside the metafile proper.
  • Start spamming the hell out of everybody; start spamming blogs and chat rooms; start posting the metafile as a 'web bug' embedded object in websites;
  • Fill out a bank deposit slip.

The attacks are growing, and rapidly, with several thousand websites already out there lurking and waiting for unwitting (Windows) victims.

As it's not a programming but a design flaw, fixes are going to be slow coming. Windows (l)users can disable the 'DLL' responsible for WMFs - but in such case the desktop turns into mush.

Happy New Year©®™ from Microsoft Corporation©®™.

Aladdin Tackles WMF Vulnerability

Protection from critical WMF vulnerability

Lots of bad advice for critical WMF vulnerability!

Setting the record straight on the WMF vulnerability

Workaround, Protections Emerge for WMF Exploit

Extremely Critical Windows Security Hole

Windows 0-Day Exploit Helped by Open Source?

Trojan alert over unpatched Windows flaw

Exploiting the Windows XP/2003 Picture and Fax Viewer Metafile Overflow Vulnerability

New Trojan Program Labeled 'Critical'

Trojan Delivers Malware to Windows PCs

Windows WMF 0-day exploit in the wild

Update on WMF exploit

Security Breach Hits Windows

How To Beat Back The New Zero-Day Windows Bug

Another WMF (Windows Major Foul-Up)

Microsoft Promises To Patch Worsening Zero-Day Flaw

Hackers target zero day Windows vulnerability

Trojan alert over unpatched Windows flaw

Hackers exploit Windows flaw

Sites exploit Windows image flaw

Windows Metafile Flaw Exploited

New zero day exploit seen in the wild

Trojan delivers unwanted gift to Windows PCs

Attackers Exploit New Zero-Day Windows Bug

Critical Impact: Windows Metafile Flaw a 'Zero-Day Exploit'

Windows File Format in 'extremely critical flaw'

Be Careful - Critical Windows WMF File Security Flaw In the Wild

'Extremely critical' .wmf exploit tags Windows XP systems

Hackers Attack Zero Day Windows Vulnerability

Windows image flaw now 'extremely critical'

Critical Exploit found in most browsers, even fully patched windows systems

Trojan Exploit - WMF Attack



Analysts Fret as Adware Makers Leverage WMF Flaw

'Really Bad' Exploit Threatens Windows

MS Confirms WMF Flaw, Variants Spread

Footnote: The Undead

The GDI is the one part of 32-bit Windows not initially designed and constructed by David Cutler and his team from Digital Equipment Corporation. It is the one part of Windows not written in C but in C++. David Cutler's team didn't even understand Microsoft wanted a 'GUI' until it was too late - and then Microsoft assigned a group known as 'The Undead' to it.

The Undead were so called because they were always contributing to projects that failed and everyone figured they'd be phased out or fired, but somehow this never happened.

The head of The Undead was a notorious addicted gambler. It's a matter of record that a great part of the shakiness in Windows NT and its successors is due to this individual obsessing with coming up with a system to break the bank in Atlantic City and devoting most of his working time to this goal - and not to the code of the GDI.

It is also a matter of record that a computer scientist worth a pinch of salt is also good at mathematics and that anyone good at mathematics knows there are no systems to break any bank. It is therefore a fair conclusion that the head of The Undead was a blithering idiot.

And finally it is a matter of record that this individual chose to 'gamble' on a 'new language' called C++ to complete his project - and in fact was able to garner enthusiasm for this choice from then CEO Bill Gates himself.

In fact, Gates thought it was such a great idea that he went to Dave Cutler on three separate occasions to try to convince the DEC team to rip up their Windows NT code and start from scratch with C++.

What Cutler told Gates is also a matter of record.

Footnote: Yahoo! FUD!

If there's one thing the losers on Windows can't stand, it's to know the rest of the world are totally unaffected and laughing at them. Throw in a good portion blithering incompetence and you have a great stew.

In an extremely apologetic and defensive article Yahoo! describe the current WMF terror for the poor Windows users and then go on to smear the issue all over the place by quoting the supposed security expert Andrew Jaquith.

Without giving a direct quote, Yahoo nevertheless attribute to him with the sly quip 'Andrew Jaquith characterised the vulnerability as a serious security issue that has cropped up before in browsers including Firefox and Safari'.

This Jaquith must be some great security expert: he's evidently found a vulnerability no one else on the planet knows anything about.

Yahoo! journalism! at! its! finest!

About | Buy | Forum | Industry Watch | Learning Curve | Products | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.