“When Windows Metafiles were designed in late 1980s, a feature was included that allowed the image files to contain actual code. This code would be executed via a callback in special situations. This was not a bug; this was something which was needed at the time.
This function was designed to be called by Windows if a print job needed to be canceled during spooling.
This really means two things:
1) There are probably other vulnerable functions in WMF files in addition to SetAbortProc
2) This bug seems to affect all versions of Windows, starting from Windows 3.0 – shipped in 1990!
“The WMF vulnerability” probably affects more computers than any other security vulnerability, ever.”
A fundimental design flaw then, is it?
Back in the day, there were essentially no ways to infect NeXT machines. However, I remember having a conversation with someone I worked with that had worked with NeXT boxes longer than I had. Turns out that there was a way. The display system in NeXT was called Display Postscript. Postscript could contain executable code, and so it was possible to have a file, and image, that when viewed on a NeXT machine, would execute arbitrary code.
The display system in Mac OS X is essentially the same except that Adobe wanted to torpedo the display postscript, and so Apple went with, if I remember, essentially what could be called “display PDF” instead. I am not sure of PS files are still vulnerable to embedded code. I have vague memories that the issue was addressed in the past.
So, the flaw in WMF of having embedded executable code isn’t something that was only by design in WMF files. It appears that this design flaw was widely expected in graphic files that were to be used for printing graphics.
I wonder if the design flaw in WMF was developed to copy the postcript funtionality? I mean, would that not just be just? Instead of innovation in vulnerability, Microsoft may have even copied that from someone else, too.
And, some say that Open Source is all imitation of other people’s work?