January 03, 2006

WMF vulnerability

[Update 1/6/2006: Microsoft's official patch is out, released five days ahead of "Patch Tuesday". However, note that (ironically) Linux is still vulnerable to the WMF exploit via WINE. I don't know about Virtual PC under Mac OSX.]

This has nothing to do with linguistics, but it isn't as widely known as it ought to be, and it's important, so I'll post it here. If you or yours have any computers running Windows XP, you should run, not walk, to this story at the Internet Storm Center, and consider following the instructions found there (installing a patch and de-registering a particular .dll). This may protect you until Microsoft makes a more systematic solution available.

The patch was written by Ilfak Guilfanov, who has also released a program that tests your system for vulnerability. There's a security advisory from Microsoft (but no patch), a vulnerability note from CERT, some additional information from Mikko at F-Secure, a Washington Post story, and a CVE entry.

Because this exploit was publicized on Dec. 27, bad guys around the world have had a week to work on ways to use it while most people have been busy with other things. I believe you'll be hearing more about this.

[Update: here's a ZDNet article.

Let me add that something about this situation puzzles me a great deal. It was back in January of 2002, fully four years ago, that Bill Gates was reported to be "kicking off an all-out effort to repair the company's reputation for poor security and reliability". The simplest and most obvious security vulnerabilities are those that arise because a standard, commonly-used file format includes, by design, the capability to instruct the OS to execute some arbitrary piece of code. How can it possibly be true that after a few weeks (never mind four years) of "all-out effort", some MS software engineer didn't call attention to the fact that Windows Meta Files -- a common graphics format on Windows machines -- contain such a vulnerability? If no one noticed this, then Redmond's engineers are incompetent. If someone did notice, and nevertheless up to four years went by during which no one did anything to patch the vulnerability, then Redmond's managers are incompetent. Either way, it's a bad omen for Microsoft's future.]

[Note -- I incorrectly glossed "wmf" as "windows media file" -- thank to several alert readers for correcting the mistake. That's what I get for learning as little as possible about Windows internals...]

Posted by Mark Liberman at January 3, 2006 07:00 AM