I've written a technical document describing what is going on "behind-the-scenes" to cause the current WMF SETABORTPROC vulnerability and how Ilfak Guilfanov's patch worked to mitigate it. Included are both annotations to the patch's source code and an annotated disassembly of the patch itself.
Interestingly, reading Microsoft's description of their patch:
Specifically, the change introduced to address this vulnerability removes the support for the SETABORTPROC record type from the META_ESCAPE record in a WMF image. This update does not remove support for ABORTPROC functions registered by application SetAbortProc() API calls.
it appears that they ended up doing the same thing that Guilfanov's patch did (but where Guilfanov' had to jump though .dll injection hoops, they could just change the source code and recompile GDI32.DLL...).
The document can be found here.
Jan 5th 2006
1 decade ago