WTF is a WMF?

Microsoft, Open Source

Don't you just love the acronym land? Did you know that there is actually a person at Microsoft whose sole job is to manage the list of acronyms that Microsoft uses (TLA)? If you didn't then please add that to the worthless knowledge you now possess. But why talk about acronyms today? Well, mostly because there is a 0 day exploit of another Microsoft file format that makes your Windows XP system wide-open for hackers if you made some bad decisions. On top of those is still using Microsoft Internet Explorer to surf the Internet – what in the world are you thinking? How many times do you have to stab yourself to bleed to death? If you know the answer to that please download Firefox today and say goodbye to IE-borne online threats. The second mistake, perhaps, is not updating the Firefox you already have installed on your computer. If you are running Firefox 1.0.4 or earlier on Windows you are still vulnerable (though you'll have to hold the knife and push in order to impale yourself in that scenario). So if you use Firefox remember that its not made out of titanium, its software, and software is broken no matter who writes it. So upgrade Firefox to 1.5 if you already have not. Now on to the actual knife – the 0 day exploit in WMF. WMF is a windows metafile format and pretty much only used by Office to store clipart and such. Well, today it joins the long line of exploited Microsoft formats that are no longer welcome in any mail system (along with .ico, .bmp, .hlp, etc) so please do not open wmf files, especially from third-party, untrusted web sites. The exploit is currently being used to distribute the following threats: Trojan-Downloader.Win32.Agent.abs Trojan-Dropper.Win32.Small.zp Trojan.Win32.Small.ev There is no known patch and you'll be waiting until at least the second Tuesday (patchday) of January to get this fixed so do something about it today. Install Firefox and stop clicking on WMF files! Update: Perhaps you don't have the time to switch your entire client base to Firefox today. Fair enough, Jesper Johansson has a post on how to restrict which extensions can pass through your ISA 2004 firewall. If your office does not have a firewall solution… well, you need to fire your network administrator. It is easy, look at the blog comments, I fired entire Microsoft Internet Explorer team today. Update 2: Ok, this appears to be a very sensitive subject for a lot of people, judging by the amount of you that have chosen to contact me. So let me come out one more step. Jokes aside. Folks, don't be afraid of the comments, what you say to me is between you and me, what you post in the comments is seen by everyone. If you feel strongly about something, VOICE it. Remember that the IE team dropped all development of Macintosh version of IE, then outright said it would not develop anything for XP anymore and everyone would have to upgrade to Vista, then they slacked away on security work and instead focused on visual issues while they got spanked on features by Firefox (which is why I switched) and finally its frequent posts like this one pointing to it. The Internet Explorer team needs to be punished, severely, for slacking away and compromising your computer and data security. This is not the case with almost any other Microsoft product. Will Bill fix it? Not as long as you continue to take it and not vote with your feet or at the very least tell them you are not happy with the risk they are placing on your computer. Step back, compose your thoughts and feelings and ask yourself one very simple question: If the manufacturer of your front door lock saw web sites giving away the key to your door, would you wait 2 weeks (Patchday, second Tuesday of January) or over a year (Windows Vista) to change that lock?

20 Responses to WTF is a WMF?

  1. jen says:

    IE is comfy. So using Firefox will decrease the potential for viruses?

  2. Vlad says:

    Not just viruses but a whole slew of exploits targeted directly for IE that the IE team has not fixed. They have a horrible security track record, even to the point that there is now a proof of concept exploit for an IE hole that was reported in April (ASN.1) and has not yet been fixed.

    If you like your computer you should run to and install it along with the kick-ass modules it provides. You can continue to use IE for your Intranet but aside from that IE should not be used on the Internet under many circumstances.

  3. Ouch, pretty harsh comments. I was spending too much time correcting problems after users were installing, updating, uninstalling, reinstalling Firefox on networks that I manage. I banned everyone from using it. Perhaps it’s improved, but I’m leary of switching.

  4. Igor Stanski says:

    I have to side with Vlad with this one as IE has caused far more problems than benefits, especially for users that will just click on anything because it looks legitimate.

    Once you go to Firefox you will never go back to IE.

  5. Vlad says:

    I’ve been one of the more outspoken critics of Microsoft IE team because, through their blog, they have demonstrated more interest in picking a cute RSS icon and soliciting feedback on the new “blue e logo with a yellow streak, what do you think ?” than they have on resolving security issues that have plagued their platform for months.

    In my humble opinion, Microsoft should open source ActiveX and outright fire everyone on the Internet Explorer team. Every last one of them.

    I feel that strongly about the disappointment that IE has been in version 6.x


  6. Mitch Travis says:

    I read these things on your blog often enough and I have come to terms with it to the point that I’m just dismissing people that still use IE. It is the same thing I tell people that use AOL, Yahoo and Hotmail for their business accounts… “It may be just good enough but if you’re not aware of the problems are you really incontrol of your business?”

  7. MJ Petersen says:


    I know how you feel. I manage a network of 2300 desktops where most people did everything they could to get Mozilla and later Firefox to work on their computers. Managing it has been a nightmare, especially in earlier 0.x releases.

    I am happy to say that all of our sites now run Firefox and that it has a lot of creature habits (such as msi packages, group policy, user agent masking, automatic updates, bookmark and profile storage customization) built in and its a snap to disable users from trying to do stupid things with their browser because we manually nuke components we don’t wish them to have access to.

    Since we rolled out Firefox (via Group Policy) we’ve had an 80% drop in spyware issues. There’s something to think about.

  8. smbmarathon5 says:

    It’s all about the features. You can’t convince people to switch on security alone, but show them what Firefox can’t do (and more importantly what Explorer can’t) and you’ll win.

    I second the note from the other comment — we have seen such a huge drop in spyware/adware on our systems that we have completely removed resource wasting antispyware software from our clients workstations. Things are running faster and better and they cannot believe that this software is free. Then show them mobile bookmarking, ability to view IE pages in IE, view PDF files as text without launching Acrobat hog, quickly researching links through tabs, integration with google, ebay and amazon search..

    Microsoft is one of the biggest PRO-Microsoft folks I know, if he says dump it believe me, you need to look. I switched because of the features, the added security and ease of management of my clients was just an extra bonus. It’s not every day you have this soft of an app fall in your lap for free.

    This is not your fathers Netscape or Mozilla, Firefox is as solid as the money can by.

  9. susan says:

    There is a site telling you how to block wmf extension if you have ISA 2004:

  10. I am shocked there are still people using IE after all the exploits. What Vlad is talking about is by no means new, I hope someone at Microsoft is listening.

    I stuck with IE when the exploits first started out. Then I turned off ActiveX. Then I turned off Javascript. Now I can’t even browse around because of WMF.

    Microsoft, LISTEN to VLAD. If the guy that writes your Exchange documentation, leads SBS groups, supports SBS for tons of resellers, spends hours producing radio shows… and god knows what else is saying dump IE then there is something wrong.

    And Vlad is by no means alone:
    Listen to your supporters.
    Listen to your customers.
    Listen to sysadmins running your software.

    Your IE team is giving your software and your company a huge black eye. The core of your evangelism is switching away from your software and you are doing nothing to solve their problems.

    Many of us will not be making it to Vista.

  11. Jerz says:

    Does Firefox now work with Remote Web Workplace?

  12. Vlad says:

    RWW works, but connect-to-computer does not.

    Remote Web Workplace connect to computer requires a terminal server ActiveX which is not supported by Firefox or any other browser. When you upgrade to Firefox just install the IEview plugin – it allows you to define trusted sites where IE can be used. I do this, it opens IE for anything https://* and all my local stuff. Search my blog to see how that is done.

    Other RWW components work just fine. You can access Outlook Web Access and other stuff on RWW with Firefox.


  13. bea says:

    I just installed it, finally, and wow…. Thank you Vlad!@

  14. Jerz says:

    Ahhh…. great find on that! I’ve been using Firefox for quite some time in conjuntion with IE7…. unfortunately though IE7 doesn’t work with RWW either so… I’ll stick to showing clients how RWW works with their machines. Actually you can go further on RWW with firefox than you can with IE7 (but I guess IE7 isn’t realeased yet either).



  15. BJ Gillette says:

    You’re not alone. Thoughtful people in the Windows community have lost patience with IE. Many are still hiding behind anonymity. We covered some of the on-the-record comments, including yours, at Email Battles.

    In our Background section at the end of the article, don’t pass by Dare Obasanjo’s excellent rundown on how IE got to this sorry state: Mac IE’s Death: A Case for Microsoft Disbanding or Transfering the Windows IE Team. (For those who don’t know, Dare’s a developer on the the Live team and creator of RSS Bandit, an favorite RSS feed aggregator for Windows.)

    In short, Dare says it’s hard to keep pouring money into something you don’t view as a profit center.


  16. John says:

    “…please download Firefox today and say goodbye to IE-borne online threats.”

    And say hello to Firefox-borne online threats.

    Just out of curiosity, do firm data exist to prove that Firefox actually is more secure than IE? (That’s not a sarcastic question; I’m genuinely curious.)

  17. Anonymous says:

    Two problems in your comment that I see:

    1) Due to the nature of the decoding .DLL, an .WMF file renamed as a .JPG will be processed as a .WMF file, thus opening your system to exploitation from files labeled as .jpg (in the same manner that emailed .PIF files were actually renamed .EXE files that would be opened as .EXE files by windows).

    2) According to one source, all browsers are susceptible because it is a Windows file, not IE.

    OBTW, don’t the last two letters of the WMF TLA indicate an alternate interpretation of the name?

  18. Vlad says:

    John & AC:

    There have been far fewer problems with Firefox, far less intrusive, and were always patched within a day or two. The current IE/Windows problem has taken days, and there won’t be a patch in at least a week and a half. This is beyond irresponsible.

    As for all browsers being affected, that is not true. Firefox does not automatically launch wmf files as Internet Explorer does through the Windows Picture & Fax viewer that uses the exploited DLL in the question.

    If you only used Firefox instead of IE you would not be affected by this issue.


  19. John says:

    “There have been far fewer problems with Firefox, far less intrusive, and were always patched within a day or two.”

    Is this documented somewhere? Again, I’m not trying to be sarcastic–just looking for facts. Over the past year, how many security issues were documented with Firefox and how many with IE?

  20. Anonymous says:

    But is Firefox safe from renamed wmv files? Fiefox will open jpg’s. If it uses the faulty widows dll, then won’t it be susceptible?

    Don’t get me wrong- I’m a confirmed Firefox user who hates to use IE.

Comments are closed.