Microsoft is downplaying newly reported bugs in its Windows’ graphic rendering engine. The software giant late Monday said security vendor reports about additional Windows Metafile (WMF) flaws are actually nothing more than “performance issues.”
Specifically, Symantec warned users on Monday that three new WMF vulnerabilities could allow attackers to crash and otherwise compromise computers.
“An attacker may leverage these issues to carry out a denial-of-service attack or execute arbitrary code,” Symantec said in a vulnerability alert issued through its DeepSight Management System.
Denial of Service Conditions
The new bugs may be associated with the flaws for which Microsoft issued patches last Thursday, Symantec said, but they involve different functions of the Windows WMF rendering engine.
“Reports indicate that these issues lead to a denial-of-service condition. However, it is conjectured that arbitrary code execution is possible as well,” the Symantec alert continued.
Is it time to panic? Not quite yet, according to Michael Sutton, director of Verisign company iDefense. The new bugs are application crashes, and he doesn’t blame Microsoft for downplaying the reports, he told TechNewsWorld.
Not Out of the Woods Yet
However, it is a fair assumption that many researchers are focused on this area, Sutton added, which means there will be more opportunities to expose additional threats.
“It seems like there is some flaky code in portions of the libraries that handle the WMF files,” Sutton said. “It wouldn’t surprise me if we see more vulnerabilities emerge, which I am sure will be followed by more media coverage.”
Recalling Zero Day
F-Secure first reported a significant WMF vulnerability on Dec. 27. So far, WMF exploits typically have been used to install spyware and adware, although the threat of virus and worm exploits remains.
Users who did not install the Microsoft-issued patch could be infected simply by visiting a Web site with an image file containing the WMF exploit. Internet Explorer users are at the greatest risk of automatic infection, while Firefox and Opera browser users are asked whether they’d like to open the WMF image or not. They get infected too if they answer “Yes.”
The zero-day vulnerability applies to all the main versions of Windows: Windows ME, Windows 2000, Windows XP and Windows 2003, Microsoft confirmed. This means if Symantec’s report is accurate, there are hundreds of millions of vulnerable computers at the moment.
Microsoft Not Worried
Microsoft said it was aware of the “performance issues” after last week’s investigation into the WMF vulnerabilities, but decided they were not worth fixing in last Thursday’s out-of-cycle patch.
The company is evaluating the issues for inclusion in the next service pack, Lennart Wistrand, lead security program manager in the Microsoft Security Response Center (MSRC), wrote in his blog.
“In order to keep the code churn in security updates to a minimum, we try to avoid, as a general rule, including other code fixes for performance issues such as this,” Wistrand noted.
“It may seem counterintuitive to not want to improve the code quality whenever opportunity arises, but the fact is that code churn incurred might have a negative impact on the quality of the update or yield a need for even more testing to ensure that we meet the quality bar for security updates,” he explained.