Interview: Ilfak Guilfanov ~ author of WMF fix (temporary )

SecuriTeam Blogs ^ | January 4, 2006 on 8:31 pm | | Matthew

[Ernest_at_the_Beach]

Seeking to put some of the confusion about the recent Windows Metafile vulnerability to rest, I interviewed one of the most reliable sources of information on the bug: Ilfak Guilfanov. In addition to discussing the temporary patch he authored, Ilfak offers valuable guidance and accurate information on a more general level for those dealing with this vulnerability.

Tell us a little about yourself so that the audience knows who you are.

I’m the author of the IDA Pro tool, which is used by security specialists to analyze software binaries. IDA Pro is the biggest program I wrote, but there are also other programs (PhotoRescue, for example).

Now let’s discuss some of the details of the Windows Metafile vulnerability. There has been a lot of conflicting information about the details of the flaw. Could you just describe the vulnerability for us so that people understand what the issue is?

Yes, there is some confusion about the vulnerability. To speak simply, it is possible to get infected just by browsing the internet.

A specially-crafted WMF file can take full control of your computer. In fact, a WMF file is not an ordinary graphic file. It looks more like a program rather than a data file, because it consists of a sequence of commands for Windows.

Most are commands like ‘draw a blue line’, ‘fill a rectangle with red’, and so on.

There is one very powerful command code in WMF files. This command code means ‘if something wrong happens, do the following: …’. So the creator of the WMF file can make your computer do anything he/she wants by using this command code and deliberately creating an error condition afterward.

So this is a design issue?

Yes, it is a design issue.