WMF-Exploit and Google Desktop

At this point, the now infamous Windows Meta File image exploit is old news but why the fix that Microsoft released in January, MS06-001, was important still evades many average users. To understand it, you need to understand how images are formed on a byte level.

Every image has data associated with it called metadata. Metadata is decriptive data such as "this is a JPEG", or "this photo was taken by a Panasonic DMC-TZ1S digital camera" or "the resolution of this images is 640 x 480". This kind of descriptive data forms "headers" and it is what assists computers in being able to determine how to process the file.

It was discovered that if these headers were constructed in a certain fashion, that the built in image processing engine in Windows would mishandle the file and could allow for other activity within Windows that was unrelated to the image itself. For a hacker who could massage an images metadata and convince someone to open the image, he could potentially gain access to the users system and the user would be no wiser.

The MS06-001 patch released in January was so super critical to Windows users, especially business and enterprise users, that Microsoft broke their normal routine of releasing all patches on the first Tuesday of the month (Patch Tuesday) to issue this fix.

While this patch was critical anyway, the situation was exacerbated by the proliferation of third party search tools, such as the Google Desktop. Users like these tools because they make the task of searching a computer for files a million times easier. They are given a familiar Google search web page or taskbar search box and Google would proactively index the computer preparing for the users search.

The problem with this is that in searching, Google would read the headers of all the files it would encounter to determine how it would need to handle the file should the user find it and need it. For image files, this meant parsing the metadata of the images it would find – including potentially parsing corrupt code that might lie in an image that had been tampered with.

This made being exploited many times more likely and just as invisible. You would have no idea.

There’s a test to see if you are still vulnerable, but chances are you’ve been patched by now.

Powered by Qumana