I've always heard you could avoid a virus by using a trojan. Now I'm confused.

The problem is that the Windows Metafile format, a file format for images (the biggest example I can think of it being used is the Microsoft Clipart Gallery images) allows files to contain code that is arbitrarily executed under certain conditions. The "feature" was originally added way back in the 80s to simplify error handling if a printer fucked up, which was a lot more common in the Dark Ages of computing. Problem is , the code could be anything, like a bit of code that opens a port in the system's firewall and downloads a trojan. All a malicious user has to do is make a WMF that doesn't load correctly for whatever reason, causing the "error handling" code to be run. This is especially easy, since a user doesn't even have to deliberately load the file, unlike, say, for an infected email attachment, since even previewing it in a Web browser or other application loads it.

So now you know. And knowing is half the battle.

Cool, thanks.

Heh, no problem. More background here:
http://en.wikipedia.org/wiki/Windows_Metafile_vulnerability

I've been commenting anonymously here and there, but I suppose I might as well use my Internet moniker, since I seem to have become a regular reader.

yeah, me too, harrison. Not to question the whole terminology, but shouldn't those files be called Greeks? Just, you know, wondering.

"Get a Mac and forget about this crap", he said with a smirk and giggle

"...but shouldn't those files be called Greeks?"

'Cause they come in the back door? HA!

Grayson,

I'm with you. The first one should've been called the Greek Horse. Doesn't quite have the same ring, but they built it, they broke it, they came spilling out of it.

h/t Virgil.

What are these "patches" of which you speak? I am a simple computer user. My laptop has an apple on it. It works.

You frighten and confuse me with your geektalk.

And the Mac users come out of the wainscotting as always, to gloat that their computer never gets a virus. Consider yourselves given the standard PC-zealot rebuttals.

I use a mac and a pc. And I can safely say....they both suck.

Normally I refrain from being a smug Mac fanboy, so...Ok, ok, just kidding. Get a Mac, WinWeenies.

Ah yes, an OS flamewar.
I use Mac, Wintel, and Linux, and I can safely bet this:
Linux is full of exploits, too, but the Linux hacking community is too busy writing viruses for Windows, as part of their effort to embarass Bill Gates.
And, oh, the Mac? Consider viruses just one more piece of software nobody's bothering to port to MacOS. Maybe if the market share were higher.

Oooh. Oooh. Nerd fight!! It's on.

OSX is patched pretty regularly as well. Heck, I've even had CERT notices sent in about OSX:

http://www.kb.cert.org/vuls/id/983429

I kind of gave up on OS one-upsmanship back in college. I just want everything to work so I can go home on time.

I won't jump into the OS wars, except to say: creating a file format that allows arbitrary executable code to be triggered by an error handler? Jeeezus. Where did the geniuses who thought that idea up get their training? McDonald's University? That is a no-no on so many levels. It's been said many times that Microsoft lacks a corporate culture of security. That's a very hard mindset to instil in your workforce.

I won't jump into the OS wars, except to say: creating a file format that allows arbitrary executable code to be triggered by an error handler? Jeeezus. Where did the geniuses who thought that idea up get their training? McDonald's University? That is a no-no on so many levels. It's been said many times that Microsoft lacks a corporate culture of security. That's a very hard mindset to instil in your workforce.

Added in the 1980's. In a format I've never seen a legit file in for over a decade.

I mean, for heaven's sake, how could those evil car makers have put out cars in the 1960's without airbags? And what asshat designed a building that couldn't take an aircraft strike?

Seriously, the odds of anyone who actually wrote that code still working at Microsoft (or at all for that matter given the boat load of $$ they made off stock options back then) are very slim.

I suspose MS could go the Mac root of just breaking the compatability of software every time they ship a new OS...

Thats an amazing story about how these little files were kept around since the 80's!

Nevertheless, it's true that Microsoft just doesn't place a high value on security. It must drive some of their developers crazy, since they obviously have the talent and skill to make their OS secure, but management doesn't value it.