The bugs that caused the most serious damage
Uncovering and exploiting Windows vulnerabilities has become as sport for many, and in a number of cases, even a career. We've rounded up a list of the worst Windows flaws we've endured since the introduction of Windows 98
WMF: Wherein malware is foisted
Bug identifier: CVE-2005-4560, MS06-001
Description: Vulnerability in graphics-rendering engine could allow remote code execution
Alias: Windows Metafile vulnerability, aka drive-by downloads
Date published: January 5 2006
Over the winter holidays in 2005, security researchers began discussing a newly discovered vulnerability in a Windows library used by the OS to display various kinds of graphics in apps and the OS itself.
The problem stemmed from a particular image file format, native to Windows since the days of Windows 3.0, called WMF (Windows Metafile). Used as the native format for storing graphics within Microsoft Office documents, support for WMF was by that point thoroughly embedded into Microsoft products.
WMF files contain function calls that a program sends to the Graphics Driver Interface (GDI). Someone discovered that WMF files can contain executable code as well. This would allow you to, say, create a WMF file that, merely by being viewing, invokes Internet Explorer to visit a particular URL, download a file, and execute that file. Special.
The aftermath of the discovery followed a familiar pattern. Microsoft issued a patch on January 5 2006, in record time. But for a long while, unpatched computers running vulnerable versions of gdi32.dll roamed the Internet, slurping up mountains of malware.
The bug had far-reaching effects, enabling malicious code to be foisted on unsuspecting users and executed in a variety of ways: previewing an email containing the malicious WMF file in Outlook; viewing an image preview in Explorer; viewing a malicious WMF in certain third-party graphics programs; indexing a hard disk that contained a malicious file; following a URL link in an email, IM, or on another webpage to a site where the malicious file was embedded in the webpage.
Upshot: We learned that nothing is sacred, that any file format could be considered hostile. And we also got a cool new name for an exploit method: drive-by downloads.
NEXT PAGE: The component that keeps on giving (headaches)
- These bugs caused serious damage
- Total server control with a single URL
- The Code Red bug
- The fastest infection ever
- The Blaster Worm bug
- The sassy bug with a lot of spunk
- Drive-by downloads
- The component that keeps on giving (headaches)