Products that aren't designed for Windows XP or Windows 2000

Anti-Windows Catalog

We practice what we preach at Pan-Am Internet Services

Search Products By:

Who's afraid of Windows Metafile bugs?

Written by Gordon Fecyk, 1/3/2006

Microsoft Word could stop the Melissa Virus before any anti-virus product could in 1999.

Pan-Am's clients stopped the WMF exploit three years before it was released, just by using what was built into Windows XP.

JOHN LEYDEN OF THE REGISTER usually makes light of horrifying vulnerabilities such as this Windows Metafile exploit. Today, however, he stood in line with the rest of the computer security world's fearmongers to repeat what everyone else begged you to do. He not only repeated the same bad advice issued by others this week, but went so far as to blame Microsoft for providing only a "partially effective" workaround.

Folks, I don't go around preaching "partially effective" workarounds for repeated problems found in Windows XP. In fact, even Microsoft spouts bad advice in this case. Crippling your system because of the fear of a threat is not going to solve the real problem.

I'm going to toot my own horn here (again!) and say that Pan-Am's clients were safe from this exploit before it was discovered.


Windows Metafiles were exploited in April 2004, over eighteen months before the fact, and anti-virus software hasn't yet caught up. Just like in 1999, popular anti-virus software failed to do its job.

We can stop these things before the fact. Don't let Leyden and the others tell you otherwise.

Back in 1999, the Melissa virus swamped e-mail accounts and mail servers because of a feature in Microsoft Word which allowed it to recognize a file's type regardless of the filename extension. In that case a Microsoft Word Template masqueraded as a Microsoft Word Document. Word Documents cannot contain program code, but Templates can.

What does this have to do with Windows Metafiles? Windows XP can interpret graphic files regardless of what filename extension they possess. For example, if a filename has a GIF extension, Windows XP's Picture Viewer will try to open it, but it will attempt to parse the file independent of the filename extension. This allows it to interpret a mis-named JPEG file, or a mis-named PNG file, or a mis-named WMF file the way it was intended.

The problem comes from WMF files masquerading as another file type, the most common example being a JPEG photo file. And the WMF interpreter has the vulnerability. So it's possible to name a booby-trapped WMF file as "nakedchk.jpg" and entice some gullible user to open it, triggering the exploit.

This is the exact same problem that Melissa posed in 1999. In Melissa's case, however, users of Microsoft Word 95 could have stopped it almost four years prior, simply by turning on the "Macro Virus Protection" switch in one of the option dialog panels. Word -- a Microsoft product -- had better anti-virus protection than you could buy off the shelf in 1999. Even more ironically, Windows Metafiles were exploited in April 2004, over eighteen months before the fact, and anti-virus software hasn't yet caught up. Anti-virus software failed us again, just like it did in 1999, and just like it has ever since then.

I EXPECT WINDOWS XP WILL STOP PARSING FILES THIS WAY when the next set of updates come on January 10th. Until then, crippling your system just to avoid it is bad advice. The SANS institute even admits that Microsoft's recommendation is only partially effective. Even worse, changing browsers or e-mail clients, or even operating systems, won't save you in the long run.

Instead, consider following some good advice. Practice safer computing. Use your system's built-in safeties, and for extra safety try Pan-Am's Lockdown Tool to prevent unwanted program code before it's written. Pan-Am's clients were doing this since 2003, and haven't been affected by this or any other exploit like it.

Related Links:

Editor Log On:
Sign up to get an editor account.



[Catalog Home]




Product Roundups

What is the Anti-Windows Catalog?

Help for New Editors

Frequently Asked Questions

Recently Edited Categories:

Computers, Notebook

Media, Video

Game, Role Play

Scanner, ID Cards


Browse All Categories

Recent Commentaries:

The More Things Change, The More They Stay Secure

The devil you know, versus the Adobe you don't

Paying for things we get for free?

Jump! Jump! Jump! Jump! Or, Windows 8: Get Over It

Don't Fear the Start Screen

Browse All Commentaries

Pan-Am Home Page Valid HTML 4.01! All trademarks are property of their respective owners.