Anti-Windows Catalog

Who's afraid of Windows Metafile bugs?

Written by Gordon Fecyk, 1/3/2006

JOHN LEYDEN OF THE REGISTER usually makes light of horrifying vulnerabilities such as this Windows Metafile exploit. Today, however, he stood in line with the rest of the computer security world's fearmongers to repeat what everyone else begged you to do. He not only repeated the same bad advice issued by others this week, but went so far as to blame Microsoft for providing only a "partially effective" workaround.

Folks, I don't go around preaching "partially effective" workarounds for repeated problems found in Windows XP. In fact, even Microsoft spouts bad advice in this case. Crippling your system because of the fear of a threat is not going to solve the real problem.

I'm going to toot my own horn here (again!) and say that Pan-Am's clients were safe from this exploit before it was discovered.

LEYDEN AND OTHERS FORGOT MELISSA'S ULTIMATE LESSON. AGAIN. I don't make this claim lightly.

Back in 1999, the Melissa virus swamped e-mail accounts and mail servers because of a feature in Microsoft Word which allowed it to recognize a file's type regardless of the filename extension. In that case a Microsoft Word Template masqueraded as a Microsoft Word Document. Word Documents cannot contain program code, but Templates can.

What does this have to do with Windows Metafiles? Windows XP can interpret graphic files regardless of what filename extension they possess. For example, if a filename has a GIF extension, Windows XP's Picture Viewer will try to open it, but it will attempt to parse the file independent of the filename extension. This allows it to interpret a mis-named JPEG file, or a mis-named PNG file, or a mis-named WMF file the way it was intended.

The problem comes from WMF files masquerading as another file type, the most common example being a JPEG photo file. And the WMF interpreter has the vulnerability. So it's possible to name a booby-trapped WMF file as "nakedchk.jpg" and entice some gullible user to open it, triggering the exploit.

This is the exact same problem that Melissa posed in 1999. In Melissa's case, however, users of Microsoft Word 95 could have stopped it almost four years prior, simply by turning on the "Macro Virus Protection" switch in one of the option dialog panels. Word -- a Microsoft product -- had better anti-virus protection than you could buy off the shelf in 1999. Even more ironically, Windows Metafiles were exploited in April 2004, over eighteen months before the fact, and anti-virus software hasn't yet caught up. Anti-virus software failed us again, just like it did in 1999, and just like it has ever since then.

I EXPECT WINDOWS XP WILL STOP PARSING FILES THIS WAY when the next set of updates come on January 10th. Until then, crippling your system just to avoid it is bad advice. The SANS institute even admits that Microsoft's recommendation is only partially effective. Even worse, changing browsers or e-mail clients, or even operating systems, won't save you in the long run.

Instead, consider following some good advice. Practice safer computing. Use your system's built-in safeties, and for extra safety try Pan-Am's Lockdown Tool to prevent unwanted program code before it's written. Pan-Am's clients were doing this since 2003, and haven't been affected by this or any other exploit like it.

Related Links:

• Windows Metafiles were exploited back in April 2004 so what's so special about now? -- US-CERT
• Stop Being a Victim -- SecurityFocus
• The real reason everyone else scrambled
• Could this really be the ultimate anti-malware tool?

[Catalog Home]

Resources:

Recently Edited Categories:

Browse All Categories

Recent Commentaries:

Browse All Commentaries