Microsoft have an explanation.

Post #241,590 by static 1/16/06 10:56:52 PM 1/18/06 1:02:33 AM Reply	Microsoft have an explanation. And I believe it's credible. [link\|http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx\|http://blogs.technet...01/13/417431.aspx] To detail it a little bit, SetAbortProc functionality was a needed component in the graphics rendering environment for applications to register a callback to cancel printing, before even the WMF file format existed. ... Around 1990, WMF support was added to Windows 3.0 as a file-based set of drawing commands for GDI to consume. The SetAbortProc functionality, like all the other drawing commands supported by GDI, was ported over (all in assembly language at this point) by our developers to be recognized when called from a WMF. This was a different time in the security landscape and these metafile records were all completely trusted by the OS. To recap, when it was introduced, the SetAbortProc functionality served an important function. He goes on to say that IE's WMF execution would not recognise the function class that SetAbortProc is in, but there are simple ways to trick it into running such a WMF file via another program anyway. It looks like a case of a very old and still very useful low-level Windows function that is still around but the landscape around it has changed so much that it's causing problems. Wade. "Insert crowbar. Apply force." Edited by static Jan. 18, 2006, 01:02:33 AM EST Expand All History
Post #241,593 by admin 1/16/06 11:01:16 PM Reply	Artful Dodging That's not why Gibson thought it was a back door. The back door part comes in when you realize that the SetAbortProc functionality only works in a WMF when you explicitly (and incorrectly) set the content size to 1. BTW, fix your link, please. Regards, -scott anderson "Welcome to Rivendell, Mr. Anderson..."
Post #241,713 by static 1/18/06 1:08:26 AM Reply	Link fixed. Actually, I think MS and Gibson are talking past each other. This MS guy is asserting that Gibson is basically wrong to think of it as a backdoor. OTOH, Gibson seems to have found a genuine bug in the parsing of a WMF, if an incorrect length of 1 can trigger that behaviour. It'd be interesting to see his counter-response (he hasn't posted one yet). Wade. "Insert crowbar. Apply force."
Post #241,594 by admin 1/16/06 11:02:31 PM Reply	I like how that "blog" doesn't allow comments, too. Regards, -scott anderson "Welcome to Rivendell, Mr. Anderson..."
Post #241,602 by Andrew Grygus 1/17/06 2:41:55 AM Reply	If it's brought forward from legacy stuff . . . . . how come legacy Windows isn't vulnerable? The features enabling the vulnerability were introduced in Windows 2000 and XP. [link\|http://www.aaxnet.com\|AAx]
Post #241,637 by mmoffitt 1/17/06 11:03:40 AM Reply	Dang. Beat me to it. That was my first thought. bcnu, Mikem It would seem, therefore, that the three human impulses embodied in religion are fear, conceit, and hatred. The purpose of religion, one might say, is to give an air of respectibility to these passions. -- Bertrand Russell
Post #241,675 by altmann 1/17/06 8:29:52 PM Reply	No default program for WMF = No "critical" vulnerability -- Chris Altmann

Welcome to IWETHEY!