Irfan View WMF Vulnerability Looks You Shouldn't Use It with Unknown Images

Discussion in 'Digital Photography' started by ab5cvjl, Jan 5, 2006.

  1. ab5cvjl

    ab5cvjl Guest

    I did the following.

    I found a wmf file on my system, actually lots of them, in Visual Basic
    6. I guessed that I could safely experiment with them.

    I copied and renamed one as foo.wmf in my temp directory. I copied and
    renamed it there foo.jpg.

    I went into Irfanview and disassociated wmf from IV.

    I tried to open foo.wmf from a Windows directory window, aka folder
    window, and it asked me for a program with which to open it. That was

    But, then I tried to open foo.jpg from a directory window, and
    Irfanview started and displayed a dialog box saying that the file was
    actually a wmf file and asking me if I wanted to rename it. I had only
    two choices, yes or no. Regardless of which I chose, Irfanview opened
    the file. If the file had been corrupted, I might have been looking at
    reinstalling Windows.

    First problem, when Irfanview realizes that the file is not what the
    extension says it is, the program should give you a third choice to
    cancel to stop the process. The way it is now, once it tells you it is
    a misnamed file, you can't do anything. You may be hosed. This looks
    like a simple partial fix.

    The more I think about it, the more I think this is the way it should
    be. If a file is not what it says it is, do you really want to open
    it? Probably not. The problem today is wmf files. Who knows what it
    might be tomorrow?

    Second problem, the misnamed jpg. The file gets rendered in the Open
    box and in thumbnails. You could get hosed without even knowing it.
    It seems like another partial solution here would be never to display a
    thumbnail for a file where the extension does not match the file type.
    Again, I think it ought to work that way.

    That doesn't solve the problem of viewing a wmf file without realizing
    it. That could happen if you save images from usenet or the web in a
    directory for later viewing. Although, if you do that, you could check
    the directory extensions before viewing the file.

    You need to be able to tell Irfanview not to display a particular file
    type, wmf. I haven't found a way to do that.

    It looks to me like there is no way to avoid changing the program and
    waiting for a Microsoft fix. The same problem could arise with another
    file type tomorrow. Users need some sort or workaround until patch
    day. Also, many people use Win 98, and who knows if Microsoft will fix
    Win 98. For that matter, who knows if Microsoft will actually fix it
    for XP?

    It looks like, as it is now, you shouldn't use Irfanview with unknown
    images, those you didn't take yourself or come from usenet binary
    ab5cvjl, Jan 5, 2006
    1. Advertisements

  2. ab5cvjl

    ASAAR Guest

    A simple workaround is <CTRL> + <ALT> + <DEL> to start the Task
    Manager when IrfanView presents its warning dialog box. This will
    allow you to terminate IrfanView (or any other program) if you wish.

    There are patches available to download that will prevent the
    auto-execution of WMF files, but MS has decided to drag their heels,
    so for an official fix you'll have to wait. A safer fix is to
    upgrade to DOS and Windows 3.x <g>
    ASAAR, Jan 5, 2006
    1. Advertisements

  3. Why wait for MS?


    It's unofficial but availlable right now, works on W2K, XP....

    Bye Maurice
    Maurice ON4BAM, Jan 5, 2006
  4. ab5cvjl

    Paul Allen Guest

    Or upgrade to Linux and start putting pressure on vendors like Adobe
    to port their products. The open source community does not drag its
    heels when a vulnerability like this shows up. Even if the author
    of the vulnerable package is unable or unwilling to fix it, any other
    interested party can jump in and fill the breach.

    This particular vulnerability is being actively exploited by multiple
    sites around the Net, and Microsoft is just letting it sit. I'm
    amazed that people put up with this crap.

    Paul Allen
    Paul Allen, Jan 5, 2006
  5. ab5cvjl

    Lorem Ipsum Guest

    That's like playing with fire in a gunpowder factory.
    Lorem Ipsum, Jan 5, 2006
  6. ab5cvjl

    Lorem Ipsum Guest

    Lorem Ipsum, Jan 5, 2006
  7. Because Steve Gibson of GRC and reputable others endorse it? GRC enough to
    be a mirror DL site.
    Ed Ruf (REPLY to E-MAIL IN SIG!), Jan 5, 2006
  8. ab5cvjl

    Gormless Guest

    I can't help wondering what other choices you might have expected.
    Perhaps a third choice would have been 'maybe'. Or possibly 'what the hell,
    go for it'.
    Gormless, Jan 5, 2006
  9. ab5cvjl

    Mark Roberts Guest

    Mark Roberts, Jan 5, 2006
  10. ab5cvjl

    SonicShake Guest

    wrote in
    You could use anti-virus company NOD32's cleaner:

    You don't need to reboot your PC, and this is where the likes of
    Microsoft and Dell get their antivirus software from.
    SonicShake, Jan 5, 2006
  11. Since you're trusting Microsofts OE... ;-)

    Bye Maurice
    Maurice ON4BAM, Jan 5, 2006
  12. ab5cvjl

    Keith Foster Guest

    Fix is now available on Microsoft's Windows Update site (Internet Explorer |
    Tools | Windows Update) for XP, 2000, ME and 98.

    Keith Foster, Jan 6, 2006
  13. ab5cvjl

    Ron Hunter Guest

    You are assuming that Irfanview opening a file somehow gives the file
    some kind of programatic control of your machine. I suspect that this
    is something Irfanview guards against quite successfully. An image file
    is DATA, and is treated separately from program code by any properly
    functioning software. There is no harm in having Irfanview open any
    file type. It will display it, or not, and warn you if the types
    internally and externally don't seem to match. Neither condition should
    involve any risk on your part.
    Ron Hunter, Jan 6, 2006
  14. ab5cvjl

    Paul Allen Guest

    Sorry, Ron, you don't understand the vulnerability. While an image file
    is data, and therefore harmless, the code that reads it is software. In
    this case, the Windows library routines that parse .wmf images have a
    bug that lets a carefully-crafted image file put arbitrary code in a
    place where the library will execute it. Effectively, the image file
    gets programmatic control of the machine. Firefox on Windows is
    apparently vulnerable, while Firefox on other platforms is not. Any
    sensible (ie: lazy) programmer will leverage libraries provided by the
    OS rather than reinventing them. Any Windows program that can process
    ..wmf files should be considered suspect until the vulnerability is
    patched or unless it is known that the program does its own .wmf

    Fortunately, Microsoft released a patch this afternoon, several days
    ahead of when they thought it would be ready. They were planning to
    use those days for testing. Let's hope the hotshots in Redmond got
    it right the first time.

    Paul Allen

    Paul Allen
    Paul Allen, Jan 6, 2006
  15. ab5cvjl

    Lionel Guest

    Kibo informs me that stated that:
    Did you try hitting the Escape key instead? - That aborts most things in
    Also, you can turn off the option to offer to rename files with the
    wrong extension.
    Unfortunately, the various options in Irfanview are confusing to get to,
    & very bizarrely organised once you've found them, but it is possible to
    configure most of these sorts of behaviours.
    While viewing an image, select the 'Options' menu item, then
    'Properties'. That will get you to all the configuration options for the
    program. To disable loading of .WMF files, unticking
    "[] WMF - Windows Metafile"
    from the "Extensions" tab, (NOTE! - They aren't in alphabetical order!)
    Then selecting "(*) Load only associated types while moving through
    directory", should do the trick for you.
    Lionel, Jan 6, 2006
  16. ab5cvjl

    Ron H. Guest

    Ron H., Jan 6, 2006
  17. ab5cvjl

    Cynicor Guest

    How do you define "letting it sit?" Do you think that Microsoft was not
    taking any action to develop the patch? Or are so many programs reliant
    on the DLLs involved that the company had to do compatibility testing
    before releasing it? That's one area that people tend to overlook when
    complaining about the time-to-patch. If the patch broke other programs,
    people would start advising that the patch was broken and not to use it.
    Cynicor, Jan 6, 2006
  18. ab5cvjl

    Ron Hunter Guest

    All three of my computers were updated this morning.
    BTW, I don't believe that Irfanview used the modules in question.
    Ron Hunter, Jan 6, 2006
  19. ab5cvjl

    Paul Allen Guest

    I define "letting it sit" as taking more than a couple hours to fix this
    hole that was being actively exploited from the moment it was announced.
    The hole was actually a design bungle that allowed WMF images to execute
    arbitrary code. Yes, you read that right. Microsoft designed WMF with
    the ability to execute arbitrary code. The fix was simply to disable
    that capability in the DLL's that handle WMF.

    When this hole was annnounced on December 28, we discovered that all
    Windows systems were broken and that the breakage was being actively
    exploited by bad guys to take over machines. It should not have been
    a question of whether the fix might break something. Things *were*
    broken. Microsoft let their customers sustain increasing damage for
    nine days while they tried to decide if they could afford the risk
    of closing the hole. In the end they released the fix five days ahead
    of schedule because it became obvious that dithering was the wrong

    Stuff like this is one of the reasons I avoid proprietary software. An
    outfit like Microsoft will obviously hang me out to dry if it thinks
    that will help their stock price, or their market share, or whatever.
    I refuse to subject myself to that risk.

    Paul Allen
    Paul Allen, Jan 6, 2006
  20. ab5cvjl

    ASAAR Guest

    . . .
    There have been far too many similar occurrences to avoid thinking
    that the delay in getting this "fix" to the public might be due to
    the need to appear to eliminate the bug, while actually continuing
    to allow the same ability to execute arbitrary code. MS has a
    history of allowing "back doors" into its software, not through
    accidental software bugs that can be exploited by persistent
    hackers, but by carefully crafting them and camouflaging them. One
    example was what MS did with Hotmail. And now that a certain agency
    is back in the news, do you recall the accidental release of one of
    the early Windows (9x, I think) upgrades where due to carelessly
    including debugging code in some OS modules, the existence of two
    "NSA keys" became known. There's more than one reason why MS shuns
    open source . . .
    ASAAR, Jan 6, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.