The final word on the Windows Metafile (WMF) vulnerability

[Corey]

It's now pretty clear that the ability to execute code in WMF graphics files was intentional - but we may never know why it's there. Steve wraps up the subject, lays a few myths to rest, explains why Windows 95/98/Me are not vulnerable, and offers a tool to detect the hole in all versions of Windows, including the WINE emulator for Linux.

http://thisweekintech.com/sn23

[Lorne]

The vulnerability probably wasn't intentional...the feature that permits it was put there on purpose, but the evidence indicates that it wasn't put there for any malicious intent.

It's worth keeping in mind that the WMF format is over 14 years old...

For a good explanation see Mark Russinovich's blog post (in fact it's linked from the page you posted).

http://www.sysinternals.com/Blog/

Note: I think Mark Russinovich understands the guts of Windows better than most people at Microsoft.

From his concluding statement:

A secret backdoor would probably have been noticed by the WINE group, and given a choice of believing there was malicious intent or poor design behind this implementation, I’ll pick poor design. After all, there are plenty of such examples all throughout the Windows API, especially in the part of the API that has its roots in Windows 3.1. The bottom line is that I'm convinced that this behavior, while intentional, is not a secret backdoor.

[Eagle]

I'm with you Lorne,

the fact that MS released updates across the OSs, in quick response,
suggests no real clandestine purpose of the backdoor..

whenever an OS visits 'windows update' and interacts, although encrypted,
this info is stored at MS's end. The 'Genuine Advantage' technology suggests
this quite openly really ?

[Corey]

It's worth keeping in mind that the WMF format is over 14 years old...

Definitely puts it in perspective.