Slashdot Mirror
Two New WMF Bugs Found
Resident Egoist writes "Via PCWorld the news that two new Metafile bugs have been found, just a week after the patching of previous critical WMF issues." From the article: "All three flaws concern the way Windows renders images in the Windows Metafile (WMF) format used by some CAD (computer-aided design) applications, but these latest flaws are far less serious than the vulnerability that Microsoft patched last week, according to security experts. That vulnerability was serious enough to cause Microsoft to take the unusual step of releasing an early patch for the problem, ahead of its monthly security software update."
I may get owned by other /.ers here but,
If your windows box gets beaten to crap by spyware, malware, etc, you have to be doing something wrong. I use firefox with noscript and adblock on my home windows machine. I surf the web, but generally not to www.trytohackmywindowsboxhahaha.com - I browse to reputable websites only.
That being said, I run a virus scan "every once in awhile" and always pat myself on the back when 0 files are detecetd as viri, spyware, malware, or any of that other crap. The worst they do is tag some of my saved password cookies and say 'minor threat' and I dismiss their for-profit software as a piece-of-trash for saying cookies are some malicious bandwidth reeming whore.
Using *nix isnt going to save a user from their own habits - they'll find a way (harder on things like linux yes) to screw it up.
But with windows, it starts with step#1 - don't click the blue E
But maybe if they had been doing those in the first place they wouldn't be patching it now.
www.lucernesys.comHorizon: Calendar-based personal finance
But still released many days after independent programmers (e.g. Ilfak Guilfanov) managed to build a fix. At work (a national lab), we were explicitly instructed not to wait for the early windows patch.
i\hbar\dot{\psi}=\hat{H}\psi
As much fun as it is to lambast Microsoft for this kind of thing, the types of exploit that have been "exposed" recently are very difficult to predict in advance
Oh, do you really believe that it is difficult to predict that failure to check for null pointers in C code might lead to serious problems? Criticizing coding and QC practices that don't measure up to professional standards is hardly facile or unworthy. It's sort of like criticizing rampant fraud, waste, and abuse in our government. Never excuse the inexcusable.
One of our developers applied the Microsoft fix (along with ten others) this morning. He can no longer debug multi-threaded code in MSDev version 6.0. Stopping on a break point in any thread other than the main thread locks the GUI for all processes. At this point, we are testing if this is isolated to MSDev version 6 or all debuggers. We also do not know which of the ten or so patches was responsible. I would be interested to know if anyone else encounters this. At this point, our developer will be reinstalling his machine on Tuesday.
-Hope
Also, some applications use WMF internally. Both as resources (for static graphical content) and as a cache to avoid repeatedly CPU-intensive graphics operations. My application (an automotive analysis tool) does exactly this sort of thing at times to make the display snappier (and reduce laptop battery consumption).
Its no different in design to a PICT resource that the Mac toolbox uses (and I'm sure OS X to this day still has an interpreter in it).