Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Update: More Unpatched Bugs Loose In Microsoft Windows Metafile

Just days after Microsoft rushed out a patch for a bug in Windows Metafile (WMF) image processing, a security company has warned customers that multiple memory corruption vulnerabilities in the same rendering engine could leave users open to attack.

"An attacker may leverage these issues to carry out a denial-of-service attack or execute arbitrary code," Symantec said in a vulnerability alert issued through its DeepSight Management System.

The bugs may be associated with the one patched Thursday by Microsoft, but they involve different functions of the Windows WMF rendering engine, added Symantec, which highlighted the various values and structures within the engine which could be exploited.

"Reports indicate that these issues lead to a denial-of-service condition, however, it is conjectured that arbitrary code execution is possible as well," the Symantec alert went on.

If true, the dangers of these new vulnerabilities are identical to the flaw that Microsoft fixed last week. Like that bug, these newly-discovered vulnerabilities can be exploited with a maliciously-crafted WMF file that's posted on a Web site, opened from an e-mail attachment, or launched with Microsoft or third-party image applications.

  • 1