New lot of WMF flaws found

By Derek Sooman on January 10, 2006, 2:12 PM
Only days after Microsoft released a patch to deal with the Windows Metafile vulnerability, it has been revealed that at least two additional flaws have been discovered in the way Windows handles Metafiles. One was posted to the Bugtraq mailing list yesterday, with proof-of-concept exploit code appearing not long after. According to Microsoft, this can be used to cause a denial-of-service crash.

"As it turns out, these crashes are not exploitable but are instead Windows performance issues that could cause some WMF applications to unexpectedly exit. These issues do not allow an attacker to run code or crash the operating system. They may cause the WMF application to crash, in which case the user may restart the application and resume activity," said Lennart Wistrand, lead security program manager in the MSRC (Microsoft Security Response Center).

User Comments: 10

Got something to say? Post a comment
PanicX said:
Well seeing as how the WMF file was automatically executed by Window's Shell process (explorer.exe), this is saying that a users shell can crash, but they just need to restart it and keep going. While not a security risk persay, its a hell of an annoyance for any user that isn't tech savvy. What if a user downloads the file to the desktop, at which point the shell would execute it and crash, then each time you restart the shell, it would simply crash again when loading the desktop. Thats loads of great fun for grandma.
lordbf1 said:
great just what we needed more issues with winblows!
asphix said:
So these flaws were created by the patch? Or existed before and due to the attention created by the prior vulnerability brought the issues to the front? I'm assuming its the second of those two.I agree with panicx, any sort of application error or crash can be extremely fusterating to anyone who cant understand or easily fix the problem.I just find it ironic that a critical vulnerability brought two not so critical problems to the front. In a way you could say the vulnerability brought about somethign positive.. well at least as soon as the issue is fixed by Microsoft :)
Vaerilis said:
They were so proud to release the latest patch ahead of the usual schedule, but now we have yet another problem.How is it that these painful errors are getting revealed now that people don't generally use .wmf files any more?
spike said:
SecurityResponse seem to beleive that the memory overflows in this bug may be able to be used to gain system level priveledges with a modification to the exploit code. We'll see...To answer the question, these flaws aren't a result of the recent wmf patch from MS. They are flaws that existed before the patch but only recently discovered (that is, by the outside world (- MS claims to have already known about them, and they claim that they were assessing the issues as an ongoing part of their code audit for inclusion in the next service pack for the affected products), and the patch does not fix these issues.[Edited by spike on 2006-01-10 15:01:33]
mentaljedi said:
Microsoft are having one hell of an issue with security here. I mean, who needs spyware etc... to slow down your pc when the OS can do it for you!
Race said:
Looks like we can expect a few more patches related to the WMF issue. According to an article (quoted below), it could take some time.In the last two months, the company has issued two bulletins—MS05-053 and MS06-001—to cover "critical" holes in WMF, but third-party researchers are still finding dangerous bugs. Last year, it took Microsoft more than seven months to create, test and release the MS05-053 bulletin. The company has blamed the delay on an extensive code review process, but the existence of new bugs in the same rendering engine raises eyebrows among security experts."You have to wonder why it took more than 220 days to create that patch if they missed these flaws," says Marc Maiffret, chief hacking officer at eEye Digital Security, the company that privately reported the first WMF bug to Microsoft last March."They spent more than half the year investigating. The whole reason for taking so long is for them to do the code audit to find other possible attack vectors," Maiffret said in an interview with eWEEK. "[Microsoft] knowingly left customers vulnerable for a very long time. I don't think it's worth leaving things unfixed for so long and still miss other attack scenarios," Maiffret said.Maiffret also pointed out that the original WMF bug was discovered by at least three private research teams, proving out the probability that others are finding exploitable vulnerabilities and never reporting them to Microsoft."It won't surprise me if there's another [problem] that has not been patched. It won't surprise me at all," Maiffret said.
exscind said:
Yeah, the "new" flaws found were always there, but were never discovered prior to the new patch that just came out.Microsoft sure tried to downplay the new flaws. It doesn't have to be exploitable for it to be a pain in the rear, and Microsoft kept trying to make it sound as if because it's not exploitable, the conseuqnces of the crashes is not significant.Somehow, I think Microsoft should hire or work with these "third-party researchers," as quoted by the article. They sure are impressive at finding flaws and bugs in Microsoft, not sure why Microsoft isn't hiring them on the security team. Perhaps this way the patches released by Microsoft will actually be a real patch instead of a broken band-aid.
xerowingsx5k said:
Although all programs and operating systems have their bugs, Windows is buggy enough for me to consider a beta. Everyone who owns Windows should think of themselves as a beta tester sent out by Microsoft to find bugs for years to come!
MonkeyMan said:
This could be quite annoying, in that you have to continously keep restarting the application, just to resume your work. I hope they fix this problem, and I hope they improve this software. Very unfortunate I think, wish the product could have been better.
Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.