Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: Steve Gibson smokes crack?
From: "Peter Ferrie" <pferrie () symantec com>
Date: Sun, 15 Jan 2006 14:19:20 -0800

The file must not begin with the placeable (aka Aldus) meta file
header.  If it does begin with that, then the function is ignored,
and Windows continues to parse the file.
This is why Windows 9x, NT, and 2000, do not execute anything from
within Internet Explorer, for example - they do not support WMF
files without the Aldus header.

Ahh, perfect!  Thanks Peter that clears up a lot for me.  In fact does
this also infer that all you need is a "crapped" up pluggable viewer
for IE on Windows 9x, etc. to exploit this flaw on one of those O/Ss?
Yes, that's all you need.  The functionality is all there, there's
just no default method to trigger it.

Does this further indicate that Office 98 and other M$ Office versions
that run on the ealier O/Ss and support the WMF mapping are
'vulnerable' to exploitation - still ?

That one remains unclear, since it depends on how the device context
is created for displaying the file.  Office might treat embedded WMF
files as though they are placeable, in which case it's not vulnerable.
I haven't had time yet to investigate.
8^) p.
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]