MS Blog: Looking at the WMF issue, how did it get there?

One question weve gotten is about SetAbortProc, the function that allows printing jobs to be cancelled.

Specifically people are wondering about how the vulnerability was present. Bear with me, Im going to get rather technical here in the interests of clearly pointing it out. The long story short is that the vulnerability can be triggered with either correct OR incorrect metafile record size values, there seems to have been some confusion on that point.

To detail it a little bit, SetAbortProc functionality was a needed component in the graphics rendering environment for applications to register a callback to cancel printing, before even the WMF file format existed. Remember, those were the days of co-operative multitasking and the only way to allow the user to cancel a print job would be to call back to them, usually via a dialog. Around 1990, WMF support was added to Windows 3.0 as a file-based set of drawing commands for GDI to consume. The SetAbortProc functionality, like all the other drawing commands supported by GDI, was ported over (all in assembly language at this point) by our developers to be recognized when called from a WMF. This was a different time in the security landscape and these metafile records were all completely trusted by the OS. To recap, when it was introduced, the SetAbortProc functionality served an important function. Welcome to the Microsoft Security Response Center Blog! : Looking at the WMF issue, how did it get there?

Linked by shanmuga Saturday, 14th January 2006 2:50AM