January 9, 2006 5:39 PM PST

More WMF problems for Microsoft

Just days after Microsoft rushed out a patch to fix a critical Windows flaw related to the processing of Windows Meta File images, two more problems with the component were flagged.

The newly disclosed issues could be a conduit for denial-of-service attacks, according to a description sent to the Bugtraq mailing list on Monday. A core function of the Windows operating system, explorer.exe, will crash a vulnerable Windows PC if a user views a specially crafted WMF image, according to the description. Explorer runs the Windows user interface, including the Start menu, taskbar, desktop and file manager.

Microsoft is aware of the problems, a representative for the software maker said in an e-mailed statement. The company had identified these issues before the report and is evaluating fixes for inclusion in the next service pack for the affected products, the representative said.

"Microsoft's initial investigation has found that these are not security vulnerabilities but rather performance issues that could cause an application to stop responding," the representative said.

Microsoft disputes that the flaws can cause Windows to stop responding, but said they may affect an application used to view a WMF image. Such applications include the Windows Picture and Fax Viewer.

"(The issues) may cause the WMF application to crash, in which case the user may restart the application and resume activity," the software maker said. The issues do not allow an attacker to commandeer a Windows system, Microsoft noted.

Word of the new problems comes just days after Microsoft rushed out a critical update for a vulnerability related to the rendering of WMF files. Cybercriminals were taking advantage of that flaw to attack Windows computers via malicious Web sites, Trojan horses and instant-messaging worms.

It is no surprise that more WMF flaws are being found, said Mike Murray, the director of vulnerability and exposure research at nCircle, a vulnerability management company in San Francisco. "When a part of Windows yields up a couple of vulnerabilities, it draws attention, and many malicious researchers start looking at that part more closely," he said.

Bugs affecting components of software typically come out in bunches, Murray said. "A few years ago it was IIS, then SQL Server, then RPC, now it's the Windows Graphics Engine," he said. IIS is Internet Information Services (the Web server part of Windows Server), SQL Server is Microsoft's database product, and RPC is the Remote Procedure Call component.

The newly reported Windows issues aren't as serious as the one Microsoft just patched--at least, not yet, Murray cautioned. "In the current release, they're only denial-of-service attacks. However, it's likely that they could be leveraged to be more severe. "If it's possible to write an exploit to take control of an attacked machine, we'll see one in the next week or two," he said.

Microsoft is not aware of any attacks that use the newly disclosed issues as a conduit, it said.


Join the conversation!
Add your comment
Crashes explorer.exe?!?!?!?!
That sounds less like malware and more like a valuable public service!!

Don't get me wrong---Windows isn't "evil" or anything... It's just that I'm sick and tired of "my" operating system obeying every whim of everyone on the internet but me! (the first time I got pr0n-reg-hacked I was furious! :)) It just seems like a really poor permissions model... running *NOT* in administrator mode takes away 85% of my functionality, and running in administrator mode is like waterskiing on liquid hot magma.

"switch OSes l4m3xx0rz!!!!110101!!!" My response is "hack windows better and I will!!" ha...

Posted by (64 comments )
Reply Link Flag
More WTF problems..
Personally I'm sick of all these flaws with windows, I understand that nothing is perfect, and having millions of people using a product, flaws would surface. But overall as a paying customer, your expectations of such software are high. And now this, apparently explorer.exe can crash by viewing an image.
<a class="jive-link-external" href="http://www.Remove-All-Spyware.com/" target="_newWindow">http://www.Remove-All-Spyware.com/</a>
Posted by Roman12 (214 comments )
Reply Link Flag
Again, it's nothing new.
This is really nothing new. There are other options that do not involve Microsoft software.
Posted by zaznet (1138 comments )
Link Flag
Critical or not.
The rushed security patch was listed as "Critical" however the severity was "not critical" if it involves the Windows 95, 98 and Millenium Edition versions of Windows.

This translates into "Critical unless we don't care about you anymore". The drop of support for these older versions brought an outcry that Microsoft could and would allow the Operation System to remain vulnerable to multiple points of attack in an effort to force users to buy new versions. Seems the fears have come true, but I don't see much about this issue yet.
Posted by zaznet (1138 comments )
Reply Link Flag
95, 98 and ME patches
If you're running 95, 98 or ME you don't have any security in the first place. Those OSes were based on a system that never had any security except as window dressing. How long are you planning on continuing to run those ancient and now very obsolete OSes anyway? Are you going to complain that vendors aren't fixing bugs in 5, 7 and 10 year old releases of Linux now either?

Or are you not actually running one of those but just sounding off because you feel like complaining?
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
MS judgment
I'm not sure relying on Microsoft's opinion regarding how critical a
vulnerability is would be a good idea.... I mean... look at their
judgments in the past... they have not been very good at picking
what is critical and what is not.
Posted by (96 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.