Microsoft late Monday downplayed the risk of newly reported bugs in Windows' graphic rendering engine, and disputed the labeling of the threats as vulnerabilities. According to the Redmond, Wash.-based developer, the new Windows Metafile flaws are only "performance issues."
Security company Symantec warned users on Monday that three new vulnerabilities in the Windows graphics engine could allow maliciously-crafted Windows Metafile (WMF) files to crash and likely compromise computers. The bugs, said Symantec, were related to the one patched last Thursday by Microsoft, but not fixed by that update.
Microsoft acknowledged the problem, but contended that it wasn't serious. "Microsoft's initial investigation has found that these are not security vulnerabilities but rather performance issues that could cause an application to stop responding," a spokesperson said late Monday afternoon in an e-mail to TechWeb.
"These issues do not allow an attacker to run code or crash the operating system," the spokesperson added. "They may cause the WMF application to crash, in which case the user may restart the application and resume activity."
Applications that display or preview include Windows Picture and File Viewer.
The original discoverer of the bug, however, chimed in with an updated message to the Bugtraq security mailing list, and claimed that the flaws he uncovered can crash Explorer.exe, the executable that runs the Windows desktop, including the Start menu, taskbar, and file system.
Several analysts, in turn, said that it the newly-discovered WMF issues should be characterized as a denial-of-service (DoS) threat, while others noted that DoS attacks often evolve into more dangerous assaults that let hackers run code remotely on compromised systems.
"History teaches us that where there is DoS [and proof-of-concept code], there very likely is remote code execution," wrote William Salusky, an analyst with the Internet Storm Center, on the ISC's blog late Monday night.
Microsoft also said that it had spotted what it called "performance issues" during the recent investigation of WMF vulnerabilities that led to last Thursday's out-of-cycle patch, but decided they weren't worth fixing.
"We had previously identified these issues as part of our ongoing code maintenance and are evaluating them for inclusion in the next service pack," said Lennart Wistrand, lead security program manager in the Microsoft Security Response Center (MSRC).
"In order to keep the code churn in security updates to a minimum we try to avoid, as a general rule, including other code fixes for performance issues such as this," Wistrand wrote on the MSRC blog. "It may seem counter-intuitive to not want to improve the code quality whenever opportunity arises, but the fact is that code churn incurred might have a negative impact on the quality of the update or yield a need for even more testing to ensure that we meet the quality bar for security updates."