The Windows Metafile Format (.WMF) dates from 1990.
Personally, I'd hate to have to take responsibility for what I did back in 1990, but I haven't made $50 billion in the last 15 years so I don't have to.
The WMF format was designed to move graphics among Windows programs, and one of its features was to allow the execution of code within images. I'm calling this a feature because, at the time it was written that's what it was. What we now know is it was also a flaw.
It means that exploit code can be hidden in any Internet graphic, not just those with the .wmf extension. And it will run. It can turn into a keylogger, or a virus, or any other type of malware. And since the relevant code has now gone online, malware authors are hard at work creating exploits, all of which will continue to steal from innocent people until Microsoft finishes testing and distributing its own fix.
This has a lot of people, like the folks at Softprose, very mad at Microsoft. But it's not the code, or the vulnerability, which troubles me. It's the process.
I understand the need to be certain before pushing out a cure that may be worse than the disease. But we're not talking about a flu vaccine here. We're talking about code and a computer feature.
The easy thing to do, as Google software engineer Matt Cutts notes, is to turn off the vulnerable code. "You’ll lose some thumbnail previews and such, but if you want to be safe until a patch is available, click Start->Run and then type “regsvr32 /u shimgvw.dll” to disable the vulnerable DLL."
Of course, this can cause other problems, Cutts admits, but there's a way around those
:
Update: Note that if you disable this DLL, you’ll lose the ability to preview images with a double click. What to do about that? I’d install the excellent Paint.net program from Washington State University. Then follow this support page from MSFT on how to change your file associations to use Paint.net to open your images. You’ll have to do it once for each filetype (.jpg, .gif, .png) that you want to view.
What Microsoft has done, and what anti-viral program writers are doing, is operating in a closed source manner. They're keeping information to themselves, and giving out solutions when they get them. That makes some sense if the cure can really be worse than the disease, if we're talking about a flu vaccine. But we're not. In the computer world, the open source process of the Google engineer works best.
And that's an important lesson.
Dana Blankenhorn has been a business journalist for over 25 years and has covered the online world professionally since 1985. He founded the "Interactive Age Daily" for CMP Media, and has written for the Chicago Tribune, Advertising Age, and dozens of other publications over the years.
1. Brad Hutchings on January 15, 2006 10:19 PM writes...
I don't get it. CERT releases the alert on 28-December-2005, and updates on 31-December-2005. Microsoft researches, acknowledges, and has issued a bulletin on 5-January-2006. The bulletin contains the exact workaround the Google engineer above suggests, except that they spell out exactly what it will prevent (and won't prevent) and what the side effects will be.
Meanwhile, it's 15-January-2006 and you're at least 10 days behind this. Why is that a recurring theme around here, especially when you're looking for examples to make open source look so totally angelic?
Permalink to Comment2. Anonymous on January 16, 2006 12:21 AM writes...
[insert cliche anti-Microsoft gibberish here]
Permalink to Comment