Microsoft: New WMF vulnerabilities not exploitable

Microsoft has downplayed additional memory corruption vulnerabilities in its Windows metafile image processing.

Symantec told users through its a vulnerability alert in its DeepSight Management System that an attacker could use these flaws to carry out a denial of service attack or execute code.

The bugs, which were not fixed by last week's out-of-cycle patch release for another WMF vulnerability, involve different portions of the rendering engine.

Microsoft said the flaws are not being used by hackers.

In a posting on a Microsoft weblog, Lennart Wistrand, of the company's Security Response Center, said the Redmond, Wash., company "had previously identified these issues as part of our ongoing code maintenance and are evaluating them for inclusion in the next service pack for the affected products."

"As it turns out, these crashes are not exploitable but are instead Windows performance issues that could cause some WMF applications to unexpectedly exit," Wistrand said. "These issues do not allow an attacker to run code or crash the operating system. They may cause the WMF application to crash, in which case the user may restart the application and resume activity."

A posting on the Bugtraq mailing list said the vulnerability exists on versions of Windows XP, 2003, ME, 98 and 2000, and said there are two vulnerabilities within the graphics rendering engine.

The WMF vulnerability was the subject of a rare early patch release. Microsoft sent out the update last Thursday, five days earlier than its planned Jan. 10 Patch Tuesday release. The company first advised users last month to maintain antivirus services and apply the work-around it recommended.

Malicious users had set up attack websites to exploit the image vulnerability, from which they could execute arbitrary code, cause a denial of service condition or take complete control of an infected PC, the U.S. Computer Emergency Readiness Team and multiple security firms warned late last month.

Before Microsoft released the WMF patch, security experts were divided on whether PC users should turn to a third-party patch provided by computer scientist Ilfak Guilfanov.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.