New WMF Bug on the Loose

A researcher has published a new flaw in Windows MetaFile

Dark Reading logo in a gray background | Dark Reading

Just when you stopped having nightmares about the Windows MetaFile (WMF) bug of '05: now there's a new WMF exploit in the wild.

A researcher with the pseudonym of cyanid-E yesterday published a new WMF vulnerability, which he says he reported to Microsoft in late June. The vulnerability exploits the same GDI Client DLL library (gdi32.dll) as did the previous zero-day WMF flaw WMF flaw, which was a major security problem for enterprises.

Unlike its predecessor, though, the new WMF vulnerability is considered low-risk -- so far, it only crashes Internet Explorer and other apps that use the DLL. But a determined and sophisticated hacker could exploit the hole to gain administrative privileges, says Paul Henry, vice president of strategic accounts for Secure Computing. Henry tested the exploit in his home lab and says it did crash apps on a fully patched Windows XP machine.

Unlike the previous WMF, which was a stack overflow bug, the latest WMF vulnerability uses heap overflow. "Heap overflow is a little more difficult to exploit than a stack overflow," Henry says.

Still, this new WMF bug shouldn't be as big as the first one, says Thomas Ptacek, a researcher with Matasano Security. "The original WMF vulnerability was a 'perfect storm' that allowed remote code execution in a way that bypassed many of the protections Microsoft had built into the operating system, and did so using a poorly understood graphic engine lurking in most Windows clients," Ptacek says. "Today's bug has none of these attributes."

Still, if an attacker were to find a way to "weaponize" this coding error to execute code or manipulate the operating system, that would spell trouble, Ptacek says, noting that "this will simply be a precursor."

Secure Computing's Henry calls it a "nuisance" that could become a serious problem if sophisticated attackers were to get hold of it. By faking a user into viewing a malicious WMF image file, it crashes apps on a patched Windows XP SP2 machine as well as earlier versions.

Meanwhile, it's unclear if a patch for this bug will be among the 12 that Microsoft releases tomorrow on its monthly Patch Tuesday. (See Microsoft to Issue 12 New Patches.) For now, the only way to protect yourself is to restrict WMF file access to trusted users and documents, according to Secunia.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights