Re: Ilfak's WMF patch

[Matthew Murphy <mattmurphy () kc rr com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Ilfak Guilfanov wrote:
> Hello Matthew,
>
> Sunday, January 1, 2006, 11:44:53 PM, you wrote:
>
> MM> Not even a question.  The ABORTPROC record type has *ZERO* legitimate
> MM> use in the real-world.  It is designed to execute arbitrary code, making
> MM> it a security risk without legitimate value.  If there are apps that use
> MM> the functionality, I for one, am happy to see them broken.
>
> I agree with you that the ABORTPROC record has no use in the WMF
> files.
>
> But there is a reason why it exists: WMF data can be file based and
> memory based. If it makes little sense to embed an executable
> procedure in a file, some programs may generate a memory based WMF
> with ABORTPROC. These memory based WMFs can be used to pass data
> between different parts of the program. In this setting the ABORTPROC
> record makes sense and poses no security risk.
>
> When I mentioned broken functionality in the description of the
> fix, I meant memory based WMFs.
>
> OTOH, I do not know what (if any) programs use them.

Interesting note.  As I looked at the ABORTPROC record's technical
specifics, it seemed highly unlikely that a file could use it in such a
way as to do something meaningful that was not limited to a specific editor.

In the context of in-memory WMFs, though, that wouldn't be much of a
drawback.  That's good research on your part.

While it is possible, I don't see too many graphics editors using this
functionality -- it's just too much of a kludge.  Aside from the fact
that WMF is an *_antiquated_* 16-bit format, most editor programs use a
native or more common format.  So, for the "what (if any) programs use
them", I suspect the answer is: none.

I'll just put it this way... I'm none-too-concerned about any real-world
breakage from the fix you've offered. :-)

I suspect MS will follow suit, disabling ABORTPROC for at least on-disk
files.  Given that the on-disk/in-memory determination is made based on
a bit in the image header, Microsoft may be forced to take the exact
same course of action you have.  We shall soon see, as it doesn't seem
Microsoft can afford to waste time getting this fix out the door.

> MM> It might be worth noting that Ilfak only tested his patch on XP SP2.
> MM> It's been said to work on Windows Server 2003 SP1 by some, though it's
> MM> confirmed that it does indeed break on XP SP1, XP RTM, and there are
> MM> conflicting reports about Win2003 RTM.  Windows 2000, Windows 98, and
> MM> Windows Me users aren't able to apply the fix, either.  Given that the
> MM> number of Win2003 systems out there is going to be pretty small, it
> MM> seems that most non-XP desktop environments will be out of luck, as will
> MM> environments that haven't made the move up to SP2 from SP1 or (god
> MM> forbid) RTM.
>
> The fix has been tested on 2000, XP, and Server2003 machines so far.
> As about WinME/98 - I have no idea. It is quite possible that they are not
> vulnerable but this is to be checked.

My apologies!

I had visited your site previous to the update that enabled Windows 2000
support.  Nice work.  Excuse me while I pull my foot out from between my
teeth.

> MM> As an aside, with source code being available, I imagine that Ilfak's
> MM> patch could be ported to different environments if copies of the
> MM> gdi32.dll file from those systems could be procured.
>
> Yes, I love to hear that.
>
> However, porting to Win9x systems will be a pain. I doubt that it is
> possible/desirable to patch gdi32.dll as it is done for NT based
> systems.

The patching semantics would be different, but I imagine it's still
possible.  That aside, though, being your patch supports the systems in
the most use for desktop OSes (Windows 2000 and Windows XP), I'm not
nearly as concerned.  Windows 98 and Windows Me are on their last legs
as viable OSes, and the "criticals only" patch policy for it has left it
a minefield as is.

I will be counting my blessings the day that support for the operating
scourges... er, systems... known as Windows 98 and Windows Me expires.
6 months and 30 days.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDuISFfp4vUrVETTgRA/VZAKCf5q+TIspWYR1AYCac7UjFxI2/YQCfZllC
WUVeoJwTV5NgTHqvaqi7lg8=
=cGZo
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.