Microsoft WMF Security Hole

A brand new year has arrived – the time of year for renewal of licenses for virus- and spyware programs, the time of year for urgent reports about a "new" security hole in Microsoft Windows.

The exploit is not really new. It is just another variation on a theme that has compromised security on the Microsoft Windows system since its inception – namely that a number of "features" in the system does not properly distinguish between code and data, or between operating system and application. When Microsoft designed the Windows Metafile Format (WMF) they thought it would be neat to let image files contain code. Cool design. But totally inappropriate for the Internet.

Microsoft isn't the only company doing this. Adobe included a similar "feature" with its PDF-format (and I bitched about it in 1998). But Microsoft has taken more care than any other company to integrate this particular type of braindamage deep into operating systems and Internet tools. Because Microsoft has integrated the interpreter for WMF active content in the Windows operating system, any third party application (such as the Google Toolbar) that knows about the association between WMF and the embedded interpreter and delegates the interpreation of WMF content to Windows can be exploited. I wrote about why this pratice is very bad security in an article in 2002 (in Norwegian). I could reprint it today and would not change a comma.

This security flaw is as old as Windows itself, but that does not mean that it is not severe. However, there are some things to protect yourself – even if you continue to use Windows. The immediate fix is simple. Unregister Shimgvw.dll, which is the part of Windows that excutes WMF code. The precise procedure for unregistering can be found under "Suggested Actions" in the Microsoft preliminary advisory on the problem.

As a further step, I would suggest the following action: Stop using Outlook (or Outlook Express)! Stop using Microsoft Internet Explorer! Both programs appear more and more as tools designed to spread malware, that also just happen to be able to display webpages and to send and receive email.

Internet tools doesn't have to execute active content from the Wild Wide Web or from unknown senders of email without as much as asking the user permission first. But Microsoft's software can and often will do this (to be fair to Microsoft – some user protection against malware has been added lately, but it is very badly designed. Many users do not understand why it is there, and others find it annoying. As a result, many users has learnt how to turn such protection off and are therefore still vulnerable. The same goes for restricting user privileges in Windows to contain damage. It is possible in theory, but it doesn't work in practice, because the system has never been designed with restricted user priveleges in mind.)

As an alternative to Outlook/Outlook Express and MSIE, almost anything would be an improvement, by my recommendation is the free software packages Thunderbird and Firefox.

Neither program is stupid enough to excute code off the Internet without asking the user permission first. As an extra safegard, Thunderbird can be set it up to block multimedia content. This is generally a good idea, and also makes porn spam less offensive by not displaying the images.

And for those fed up with the never-ending story about Windows security vulnerabilities, note that not all computers are vulnerable to the WMF threat: those running non-Windows operating systems are not affected.

That's right folks: You can use Linux. While Linux is not immune to virii and spyware, it does not (yet) come with this type of artificial stupidity designed into it. But that might not last forever – some Linux programmers seem to be just about as ignorant about basic Internet security as those employed by Bill Gates. These bozos keep trying to add "features" to Linux applications to automagically execute any multimedia content the application may stumble across. Let us keep such code out of the Linux, kids!