Interview with Ilfak Guilfanov (WMF Patch Hero)

Posted by Zonk on Friday January 6, 2006 @06:52AM from the small-acts-lead-to-big-things dept.

GrayWolf42 writes "SecuriTeam Blogs has posted an interview with Ilfak Guilfanov, one of the people developing the IDA Pro disassembler, who also happens to have written the unofficial WMF vulnerability patch. In this short interview he discusses the patch, how it works, and why he wrote it." From the article: "Q: When you heard of this vulnerability, you created a temporary patch to close the hole until Microsoft updated its software. Could you tell us more about what the patch does? A: The patch just removes this powerful command. It does not do anything else. The fix modifies the memory image of the system on the fly. It does not alter any files on the disk. It modifies [the image of] the system DLL 'gdi32.dll' because the vulnerable code is there." Microsoft has released an official update, which you should be able to download from the windows update site.

2 of 167 comments (clear)

Min score:

Reason:

Sort:

From the Interview... by IAAP · 2006-01-06 06:57 · Score: 5, Interesting

... There is one very powerful command code in WMF files. This command code means 'if something wrong happens, do the following: ...'. So the creator of the WMF file can make your computer do anything he/she wants by using this command code and deliberately creating an error condition afterward.
So this is a design issue?
Yes, it is a design issue.
I would think the MS would have a department of crackers and hackers to try to do shit like this. Also, didn't any of the original developers think of this when they wrote it or did they think the exploit was so remote, that it'll never happen?
Re:Why not scramble all DLL's and EXE's on the fly by Anonymous Coward · 2006-01-06 07:46 · Score: 5, Interesting

Or just do what OpenBSD does: Make writable memory non-executable, make executable memory non-writable. This bit of common sense is disappointingly rarely implemented.