Exploits taking advantage of the vulnerability on Windows NT-based systems facilitated the propagation of various types of malware, typically through drive-by downloads.
Due to extreme impact, this bug won the 2007 Pwnie Award for "Mass 0wnage" and "Breaking the Internet".
[2] According to computer security expert Steve Gibson, Windows NT 4 is vulnerable to known exploits if image preview is enabled.
[3] Windows operating systems that do not have image preview enabled or that have hardware-based Data Execution Prevention (DEP) active for all applications should not be susceptible to this exploit.
According to Secunia, "The vulnerability is caused due to an error in the handling of Windows Metafile files ('.wmf') containing specially crafted SETABORTPROC 'Escape' records.
This change happened at approximately the same time as Microsoft was creating the 32 bit reimplementation of GDI for Windows NT, and it is likely that the vulnerability occurred during this effort.
The 'Escape' mechanism in question allows applications (not metafiles) to access output device features not yet abstracted by GDI, such as hardware accelerated Bézier curves, encapsulated postscript support, etc.
Because most Escape calls produce actual graphics, the general escape mechanism is allowed in metafiles with little thought originally given to the possibility of using it for things like SETABORTPROC, modern non-vulnerable metafile interpreters now checks the opcode against a blacklist or whitelist, while keeping the full set of opcodes available to regular code that calls the GDI escape functions directly (because such code is already running in the same way as the code it could make GDI call, there is no security risk in that case).
It was first observed in the wild by researchers at Sunbelt Software on December 28, 2005, and announced publicly by the company's president Alex Eckelberry.
A free downloadable patch for Windows NT[11] has been provided by Paolo Monti from Future Time, the Italian distributor of Eset's NOD32 anti-virus system.
A third party patch[6] was released by Ilfak Guilfanov on December 31, 2005, to temporarily disable the vulnerable function call in gdi32.dll.
For computers running an unpatched version of Windows, a defence in depth approach was recommended, to mitigate the risk of infection.
In 2006 Steve Gibson suggested that the peculiar nature of the 'bug' was an indication that the vulnerability was actually a backdoor intentionally engineered into the system.
[13] The accusation became an assertion and spread through the internet as a rumor after the technology news website Slashdot picked up Gibson's speculation.
[13] The rumor was widely debunked[14][15] and Thomas Greene, writing in The Register, attributed Gibson's mistake to "his lack of security experience" and called him a "popinjay expert".