WMF flaw not intentional, Microsoft says

Microsoft has denied a suggestion that a widely-publicized security vulnerability in its Windows operating system is a as a way to access PCs.

"Now, thereÂ’s been some speculation that ... this trigger was somehow intentional. That speculation is wrong," Stephen Toulouse, a program manager in Microsoft's Security Response Center, wrote on a Microsoft corporate blog Friday.

On Thursday last week, researcher Steve Gibson suggested that the image processing flaw in Windows is so bizarre that it must have been intentional. The suggestion caused a deluge of comments on Slashdot and many responses to security mailing lists, with most dismissing the back door theory.

The flaw lies in the way the Windows Graphics Rendering Engine processes Windows Meta File images. The bug was first discovered late last month as it was being exploited by cybercriminals. Microsoft rushed out a fix on Jan. 5, breaking its monthly patching cycle.

Toulouse's comment is part of a blog post that discusses the history of the vulnerability and how it was introduced in Windows. He mentions that WMF support was first included with Windows 3.0 in early 1990, a" different time in the security landscape." Microsoft has said it was unfamiliar with this type of attack vector and will scour its code for similar problems.

Close
Drag