New Batch of WMF Flaws Flagged

Updated: Just days after the release of Microsoft's out-of-cycle WMF patch, researchers publish details-and exploit code-for two new denial-of-service vulnerabilities. Redmond is investigating.

Microsoft Corp.s Windows image rendering nightmare just wont go away.

Just days after rushing out an emergency fix to counter a spate of zero-day attacks, security researchers claim there are at least two new flaws in the way the Windows graphics rendering engine handles WMF (Windows Metafile) images.

The latest warning was posted to the Bugtraq mailing list Monday by a researcher known simply as "cocoruder."

A few hours later, the first sign of what appears to be proof-of-concept exploit code was also published.

A Microsoft spokesperson insists the publicly released code can simply cause a denial-of-service crash.

"As it turns out, these crashes are not exploitable but are instead Windows performance issues that could cause some WMF applications to unexpectedly exit. These issues do not allow an attacker to run code or crash the operating system. They may cause the WMF application to crash, in which case the user may restart the application and resume activity," said Lennart Wistrand, lead security program manager in the MSRC (Microsoft Security Response Center).

In a blog posting, Wistrand said Microsoft had already identified the issues as part of its ongoing code maintenance and is evaluating them for inclusion in the next service pack for the affected products.

According to the Bugtraq advisory, the Windows graphics rendering engine is affected by multiple memory corruption vulnerabilities that affect the "ExtCreateRegion" and "ExtEscape" functions.

"These problems present themselves when a user views a malicious WMF formatted file containing specially crafted data," the alert reads.

The issue is described as a denial-of-service condition, but there are fears that arbitrary code execution may be possible if the exploit is modified.

/zimages/5/28571.gifClick here to read more about Microsofts "emergency" patch of a WMF flaw.

"Any code execution that occurs will be with the privileges of the user viewing a malicious image. An attacker may gain SYSTEM privileges if an administrator views the malicious file," it added.

/zimages/5/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

The new flaws affect fully patched versions of Windows 2000, Windows XP (Service Pack 2 included) and Windows Server 2003.

The latest discovery, if confirmed as a legitimate risk, would be a serious blow to Microsofts patch creation procedures.

In the last two months, the company has issued two bulletins—MS05-053 and MS06-001—to cover "critical" holes in WMF, but third-party researchers are still finding dangerous bugs.

Last year, it took Microsoft more than seven months to create, test and release the MS05-053 bulletin.

The company has blamed the delay on an extensive code review process, but the existence of new bugs in the same rendering engine raises eyebrows among security experts.

"You have to wonder why it took more than 220 days to create that patch if they missed these flaws," says Marc Maiffret, chief hacking officer at eEye Digital Security, the company that privately reported the first WMF bug to Microsoft last March.

/zimages/5/28571.gifRead more here about a critical Windows patch that sought to fight takeover attacks.

"They spent more than half the year investigating. The whole reason for taking so long is for them to do the code audit to find other possible attack vectors," Maiffret said in an interview with eWEEK.

"[Microsoft] knowingly left customers vulnerable for a very long time. I dont think its worth leaving things unfixed for so long and still miss other attack scenarios," Maiffret said.

Maiffret also pointed out that the original WMF bug was discovered by at least three private research teams, proving out the probability that others are finding exploitable vulnerabilities and never reporting them to Microsoft.

"It wont surprise me if theres another [problem] that has not been patched. It wont surprise me at all," Maiffret said.

Editors Note: This story was updated to include comments from Lennart Wistrand, lead security program manager in the MSRC.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.