SAN FRANCISCO -- Microsoft today issued a patch that addresses three critical security vulnerabilities in the way that its operating system processes Windows Metafile images. The patch, called Windows Update MS05-053 was released as part of the Redmond, Washington, company's monthly security update process.
The Metafile vulnerabilities, which affect most versions of Windows, could theoretically be exploited to allow a user to shut down or even gain control of an unpatched system by tricking a user into viewing a maliciously formatted Metafile image. Microsoft's explanation of the problem may be found here.
Windows Metafile is a graphics format used by some computer-aided design applications. Files that use this format have either a .wfm or .emf extension, according to a spokesperson for Microsoft's public relations agency.
How They Might Be Used
Though the vulnerabilities are rated "critical" by Microsoft, they may not be widely exploited according to Neel Mehta, team leader of Internet Security Systems' X-Force group. "There's still some user interaction required to exploit these issues, so we expect to see them used in the more sophisticated targeted attacks that we see, but it's unlikely that they'll be used in a widespread attack," he said.
The most likely way for an attacker to take advantage of these bugs would be by sending e-mail with a malicious graphic and hoping that it would be opened in Microsoft Outlook's preview pane. Attackers could also trick users into viewing such an image on a Web site, Mehta said.
The bugs are similar to one that was patched in Macromedia's Flash player earlier this week. That flaw, also rated critical, could be exploited in Macromedia Flash files, which have the extension .swf.
The Windows Metafile problems affect virtually all supported versions of Windows, according to Microsoft's statement. However, Windows 98, Windows 98 Second Edition, and Windows Millennium Edition are not affected, the statement said.
"Microsoft Fixes Critical Windows Graphics Problem" Comments