New WMF Bug on the Loose

Just when you stopped having nightmares about the Windows MetaFile (WMF) bug of '05: now there's a new WMF exploit in the wild.

A researcher with the pseudonym of cyanid-E yesterday published a new WMF vulnerability, which he says he reported to Microsoft in late June. The vulnerability exploits the same GDI Client DLL library (gdi32.dll) as did the previous zero-day WMF flaw WMF flaw, which was a major security problem for enterprises.

Unlike its predecessor, though, the new WMF vulnerability is considered low-risk -- so far, it only crashes Internet Explorer and other apps that use the DLL. But a determined and sophisticated hacker could exploit the hole to gain administrative privileges, says Paul Henry, vice president of strategic accounts for Secure Computing. Henry tested the exploit in his home lab and says it did crash apps on a fully patched Windows XP machine.

Unlike the previous WMF, which was a stack overflow bug, the latest WMF vulnerability uses heap overflow. "Heap overflow is a little more difficult to exploit than a stack overflow," Henry says.

Still, this new WMF bug shouldn't be as big as the first one, says Thomas Ptacek, a researcher with Matasano Security. "The original WMF vulnerability was a 'perfect storm' that allowed remote code execution in a way that bypassed many of the protections Microsoft had built into the operating system, and did so using a poorly understood graphic engine lurking in most Windows clients," Ptacek says. "Today's bug has none of these attributes."

Still, if an attacker were to find a way to "weaponize" this coding error to execute code or manipulate the operating system, that would spell trouble, Ptacek says, noting that "this will simply be a precursor."

Secure Computing's Henry calls it a "nuisance" that could become a serious problem if sophisticated attackers were to get hold of it. By faking a user into viewing a malicious WMF image file, it crashes apps on a patched Windows XP SP2 machine as well as earlier versions.

Meanwhile, it's unclear if a patch for this bug will be among the 12 that Microsoft releases tomorrow on its monthly Patch Tuesday. (See Microsoft to Issue 12 New Patches.) For now, the only way to protect yourself is to restrict WMF file access to trusted users and documents, according to Secunia.

— Kelly Jackson Higgins, Senior Editor, Dark Reading