What exactly is going wrong with the WMF vulnerability?

Turns out this is not really a bug, it's just bad design. Design from another era.

When Windows Metafiles were designed in late 1980s, a feature was included that allowed the image files to contain actual code. This code would be executed via a callback in special situations. This was not a bug; this was something which was needed at the time. The feature now in the limelight is known as the Escape() function and especially the SetAbortProc subfunction.

This function was designed to be called by Windows if a print job needed to be canceled during spooling.....F-Secure : News from the Lab

Linked by shanmuga Monday, 2nd January 2006 9:39PM