[ISN] Two new WMF bugs found

InfoSec News isn at c4i.org
Tue Jan 10 01:33:33 EST 2006


http://www.networkworld.com/news/2006/010906-microsoft-wmf-bug.html

By Robert McMillan
IDG News Service
01/09/06

Just days after Microsoft patched a critical vulnerability in the way
the Windows operating system renders certain types of graphics files,
a hacker has published details of two new flaws that affect the same
part of the operating system.

The new vulnerabilities were posted to the Bugtraq security mailing
list on Monday by a hacker going by the name of "cocoruder."

All three flaws concern the way Windows renders images in the Windows
Metafile (WMF) format used by some computer-aided design applications,
but these latest flaws are far less serious than the vulnerability
that Microsoft patched last week, according to security experts. That
vulnerability was serious enough to cause Microsoft to take the
unusual step of releasing an early patch to the problem, ahead of its
monthly security software update.

While the patched flaw was being exploited by attackers to take
control of Windows machines, the latest vulnerabilities appear to pose
the risk of simply crashing the WMF-viewing software, typically
Internet Explorer. However, users would first need to trick a victim
into viewing a specially crafted WMF image in order for this to
happen, security experts say.

The vulnerabilities can be found in a number of versions of Windows,
including Windows XP, Service Pack 2, Windows Server 2003, Service
Pack 1, and Windows 2000, Service Pack 4, according to cocoruder's
Bugtraq posting.

Because of the inherent complexity of image formats, there are plenty
of opportunities for attackers to find bugs similar to the two that
were revealed Monday, said Russ Cooper, senior information security
analyst for Cybertrust.

Cooper said that the new WMF vulnerabilities are not a major cause of
concern. "New malformed images that simply crash things aren't really
that important unless they can be shown to cause code to execute," he
said via instant message. "This is only getting any attention because
its WMF and Microsoft just released a WMF patch."

Johannes Ullrich, chief research officer for the SANS Institute,
agreed that these type of image problems are fairly common, but he
said that the fact that so many WMF vulnerabilities have popped up of
late -- Microsoft fixed three other WMF bugs in November -- indicates
that the software vendor could be doing a better job of predicting
where its security problems might lie.

Microsoft should have been able to catch these latest flaws and fix
them with its November patch, Ullrich said. "They really seem to have
a problem thinking offensively," he said of Microsoft. "If you don't
really look for these vulnerabilities with this offensive mindset, but
if you instead look at it from a programmers perspective ... you just
don't find a lot of these things."

"Every month they have one or two image problems they fix," Ullrich
added. "It's actually kind of surprising they don't get exploited
more."

A spokeswoman from Microsoft was unable to provide comment for this
story.





More information about the ISN mailing list