I remember looking long ago at how WMFs are made up and was amazed at the time to find that it was just a log of the GDI calls that were made which were played back in order. I might even have fixed a bug in one of the Japanese version of Lotus Freelance products in the 1990s since I was responsible for bugfixing file import and export filters and remember poking around the Metafile import code to see how it worked. Steve Gibson makes an interesting claim today regarding the Microsoft statement on the recent WMF exploit found:
This, too, is subtle misdirection. He's talking about an
"additional step" that was LATER TAKEN OUT of Windows metafile
processing, since Windows 9x/ME/NT came *before* the later
"vulnerable" systems. And, even so, remember that what was done
later with "SetAbortProc" is not really "SetAbortProc" at all
.... but rather "RunThisCodeNow!"
Hear Steve Gibson explain why he thinks the WMF expolit was a deliberate backdoor in Windows.
Later politely debunked by Mark (Sony Rootkit) Russinovich
Posted by stuartcw at January 15, 2006 08:04 PM