Final word on WMF flaw
 |
Tim Smith
I'm glad Mark Russinovich looked at this code and confirmed that it works in the way Steve Gibson documented. This lays to rest any doubt about the technology involved.
tab -- Fonts work great in Gnome. (I will also be testing Ubuntu 5.10 today and you best hope to GOD it works, or I am taking this to a new level.) I've read this "Linux...
The point of dispute is the mode of end, i.e. the difference between:
Reading an address: SetAbortProc * fn; read(&fn, sizeof(SetAbortProc), wmf); (fn)(...)
vs
Reading code: read(code, bytecount, wmf) SetAbortProc * fn; fn = (SetAbortProc) code; (fn)(...);
Even Mark was a little confused about this behavior:
"The remaining question is why PlayMetaFile expects the abort procedure to be in-lined in the metafile. ItŐs that fact that allows a hacker to transport malicious code within a WMF file. The actual reason is lost with the original developer of the API"
He then goes on to make an excuse for the developer being flexable or something. *NO* developer would see the utility of embedding code in Windows 3.1 or even Win32 as the code fixups are not made in a data source. In Win16 days, you wouldn't have access to your data segment. If this bug was around in real mode days, you couldn't even be sure your program was in memory without a thunk.
It is this feature that is the dangerous and of the most dubious utility, and it is this feature that gets a quickest glossing over. I am reminded of the NSA key BS about Microsoft needing a duplicate key in case they lost the original. Give me a break.
Now, I respect Mark Russinovich's technical abilities, but he has, most of the time, been a Microsoft apologist, and I don't think that this piece is any different. There is a feature that allows arbitrary code to be executed, there is no real reason for it being there as developing code to use it would require a different tool chain than that used to create applications. As the Windows API went from 16 bit to 32 bit, from a DOS extender to a VMS hack, this functionality has been maintained, and that would require work as the C language and compilers and bit depths have changed over the years.
To me, it would nearly impossible for someone to make a whole OS from scratch, from a community effort. Heck, most community projects die after a 30 day honeymoon. Now, an OS is a big...
Sorry, I don't trust Microsoft, if its there and has been maintained for some time, it is there for a reason. What is that reason?