Update: More Unpatched Bugs Loose In Microsoft Windows Metafile

Microsoft rushed out a patch

"An attacker may leverage these issues to carry out a denial-of-service attack or execute arbitrary code," Symantec said in a vulnerability alert issued through its DeepSight Management System.

The bugs may be associated with the one patched Thursday by Microsoft, but they involve different functions of the Windows WMF rendering engine, added Symantec, which highlighted the various values and structures within the engine which could be exploited.

"Reports indicate that these issues lead to a denial-of-service condition, however, it is conjectured that arbitrary code execution is possible as well," the Symantec alert went on.

If true, the dangers of these new vulnerabilities are identical to the flaw that Microsoft fixed last week. Like that bug, these newly-discovered vulnerabilities can be exploited with a maliciously-crafted WMF file that's posted on a Web site, opened from an e-mail attachment, or launched with Microsoft or third-party image applications.

Sponsored post

Other similarities between these vulnerabilities and the one recently patched exist, Symantec continued. "As with other vulnerabilities related to the WMF format, it's noted that viewing a malicious file in Windows Explorer may automatically trigger these issues. An attack may name a malicious WMF file using other common picture file extensions such as .gif, .jpg, .png, or .tif to trigger these issues." Without a patch for this new problem, Symantec was forced to fall back on earlier advice given to users two weeks ago by Microsoft: disable the Windows Picture and Fax Viewer application. That program is automatically launched when users of Internet Explorer encounter a WMF file on a Web site.

As of mid-morning Monday, Symantec had not confirmed the vulnerabilities, or the allegation that last week's patch doesn't solve the problem. However, Alfred Huger senior director of engineering for Symantec's security response team, said the researcher is probably on the mark.

"Frankly, we expected something like this," Huger said. "We thought it was very likely that people knew of other vulnerabilities in the graphic rendering engine, but would wait to disclose them until Microsoft had patched, to see if their vulnerabilities were affected."

The researcher, identified as "Frank Ruder," claimed to be part of the China-based Xfocus group. "Xfocus is usually very accurate in its information," said Huger. "Its members have a history of finding vulnerabilities."

In the vulnerabilities' description posted on the Bugtraq security mailing list, Ruder claimed he would soon upload proof-of-concept code to the Xfocus site. As of Monday, that code had not appeared on the site.

Microsoft was not immediately available for comment on the new vulnerabilities.