The newly disclosed issues could be a conduit for denial-of-service attacks, according to a description sent to the Bugtraq mailing list on Monday. A core function of the Windows operating system, explorer.exe, will crash a vulnerable Windows PC if a user views a specially crafted WMF image, according to the description. Explorer runs the Windows user interface, including the Start menu, taskbar, desktop and file manager.
Microsoft is aware of the problems, a representative for the software maker said in an e-mailed statement. The company had identified these issues before the report and is evaluating fixes for inclusion in the next service pack for the affected products, the representative said.
"Microsoft's initial investigation has found that these are not security vulnerabilities but rather performance issues that could cause an application to stop responding," the representative said.
Microsoft disputes that the flaws can cause Windows to stop responding, but said they may affect an application used to view a WMF image. Such applications include the Windows Picture and Fax Viewer.
"(The issues) may cause the WMF application to crash, in which case the user may restart the application and resume activity," the software maker said. The issues do not allow an attacker to commandeer a Windows system, Microsoft noted.
Word of the new problems comes just days after Microsoft rushed out a critical update for a vulnerability related to the rendering of WMF files. Cybercriminals were taking advantage of that flaw to attack Windows computers via malicious Web sites, Trojan horses and instant-messaging worms.
It is no surprise that more WMF flaws are being found, said Mike Murray, the director of vulnerability and exposure research at nCircle, a vulnerability management company in San Francisco. "When a part of Windows yields up a couple of vulnerabilities, it draws attention, and many malicious researchers start looking at that part more closely," he said.
Bugs affecting components of software typically come out in bunches, Murray said. "A few years ago it was IIS, then SQL Server, then RPC, now it's the Windows Graphics Engine," he said. IIS is Internet Information Services (the Web server part of Windows Server), SQL Server is Microsoft's database product, and RPC is the Remote Procedure Call component.
The newly reported Windows issues aren't as serious as the one Microsoft just patched--at least, not yet, Murray cautioned. "In the current release, they're only denial-of-service attacks. However, it's likely that they could be leveraged to be more severe. "If it's possible to write an exploit to take control of an attacked machine, we'll see one in the next week or two," he said.
Microsoft is not aware of any attacks that use the newly disclosed issues as a conduit, it said.
