Stephen Toulouse writing in a Microsoft security blog has now confirmed that
the Microsoft has known about the WMF flaw for many years:
Looking at the WMF issue, how did it get there?
"The potential danger of this type of metafile record was
recognized and some applications (Internet Explorer, notably)
will not process any metafile record of type META_ESCAPE,
the overall type of the SetAbortProc record."
"The reason Windows 9x is not vulnerable to a "Critical"
attack vector is because an additional step exists in the Win9x
platform: When not printing to a printer, applications will
simply never process the SetAbortProc record."
This blog entry raises a number of important questions about Microsoft's
policy for handling security flaws in the Windows operating system:
1. Given the obvious dangers with SetAbortProc records, why
didn't Microsoft simply disable the feature in the Windows
operating system altogether and come up alternate for
aborting printing of WMF files? Why were all the inadequate
work-arounds in application code pursued instead?
2. How come word about the dangers of the WMF file
format did not make it to the Windows NT, 2000, and XP
development teams as well as the team responsible for
the Picture and FAX viewer?
3. Given the history of problems with WMF files, why
hasn't support for them been removed from Internet
Explorer? Also shouldn't WMF files be marked in
the registry as not safe-for-downloading?
Richard M. Smith