Microsoft Downplays New WMF Problem

One week after issuing an emergency patch for a vulnerability in Windows Meta File image processing that opened the door for arbitrary code execution, a new problem has been discovered in the format. But Microsoft has downplayed the concerns, saying the bug only causes "performance issues."

According to a posting to the Bugtraq mailing list, "Windows WMF graphics rendering engine is affected by multiple memory corruption vulnerabilities." The problems involve the ExtCreateRegion and ExtEscape functions.

"Reports indicate that these issues lead to a denial of service condition, however, it is conjectured that arbitrary code execution is possible as well. Any code execution that occurs will be with the privileges of the user viewing a malicious image," says Security Focus.

In a blog posting, Lennart Wistrand from Microsoft's Security Response Center explained that, "These crashes are not exploitable but are instead Windows performance issues that could cause some WMF applications to unexpectedly exit. These issues do not allow an attacker to run code or crash the operating system."

Wistrand says Microsoft did not include a fix for the performance issues because the patch was specifically related to the security vulnerability. Instead, the company is deciding whether to fix them in future service packs for the affected products.

"In order to keep the code churn in security updates to a minimum we try to avoid, as a general rule, including other code fixes for performance issues such as this," said Wistrand.

"It may seem counter-intuitive to not want to improve the code quality whenever opportunity arises, but the fact is that code churn incurred might have a negative impact on the quality of the update or yield a need for even more testing to ensure that we meet the quality bar for security updates."

37 Responses to Microsoft Downplays New WMF Problem

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.