WMF Vulnerability - Code vs Data

Tuesday, 3 January 2006

F-Secure’s weblog explains how WMF’s vulnerability arises from a feature that lets the WMF VM execute x86 code through Escape() function.

When Windows Metafiles were designed in late 1980s, a feature was included that allowed the image files to contain actual code. This code would be executed via a callback in special situations. This was not a bug; this was something which was needed at the time.

This vulnerability arises because the WMF VM exposes the entire CPU’s VM as an executable library. Similar problems exists with Word Macro Viruses, where the entire VBA library is exposed to untrusted code.

The entry 'WMF Vulnerability - Code vs Data' was posted on January 3rd, 2006 at 8:53 am and is filed under Thinking IT. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

« Octopus disguised as a coconut
Jython Loses to Java+Eclipse »