Microsoft Dubs New WMF Bugs 'Performance Issues' - InformationWeek
01:25 PM

Microsoft Dubs New WMF Bugs 'Performance Issues'

Security company Symantec warned users Monday that three new vulnerabilities could allow maliciously crafted Windows Meta File files to crash and likely compromise computers. Microsoft disputes this characterization.

Microsoft late Monday downplayed the risk of newly reported bugs in Windows' graphic rendering engine, and disputed the labeling of the threats as vulnerabilities. According to the Redmond, Wash.-based developer, the new Windows Metafile flaws are only "performance issues."

Security company Symantec warned users on Monday that three new vulnerabilities in the Windows graphics engine could allow maliciously-crafted Windows Metafile (WMF) files to crash and likely compromise computers. The bugs, said Symantec, were related to the one patched last Thursday by Microsoft, but not fixed by that update.

Microsoft acknowledged the problem, but contended that it wasn't serious. "Microsoft's initial investigation has found that these are not security vulnerabilities but rather performance issues that could cause an application to stop responding," a spokesperson said late Monday afternoon in an e-mail to TechWeb.

"These issues do not allow an attacker to run code or crash the operating system," the spokesperson added. "They may cause the WMF application to crash, in which case the user may restart the application and resume activity."

Applications that display or preview include Windows Picture and File Viewer.

The original discoverer of the bug, however, chimed in with an updated message to the Bugtraq security mailing list, and claimed that the flaws he uncovered can crash Explorer.exe, the executable that runs the Windows desktop, including the Start menu, taskbar, and file system.

Several analysts, in turn, said that it the newly-discovered WMF issues should be characterized as a denial-of-service (DoS) threat, while others noted that DoS attacks often evolve into more dangerous assaults that let hackers run code remotely on compromised systems.

"History teaches us that where there is DoS [and proof-of-concept code], there very likely is remote code execution," wrote William Salusky, an analyst with the Internet Storm Center, on the ISC's blog late Monday night.

Microsoft also said that it had spotted what it called "performance issues" during the recent investigation of WMF vulnerabilities that led to last Thursday's out-of-cycle patch, but decided they weren't worth fixing.

"We had previously identified these issues as part of our ongoing code maintenance and are evaluating them for inclusion in the next service pack," said Lennart Wistrand, lead security program manager in the Microsoft Security Response Center (MSRC).

"In order to keep the code churn in security updates to a minimum we try to avoid, as a general rule, including other code fixes for performance issues such as this," Wistrand wrote on the MSRC blog. "It may seem counter-intuitive to not want to improve the code quality whenever opportunity arises, but the fact is that code churn incurred might have a negative impact on the quality of the update or yield a need for even more testing to ensure that we meet the quality bar for security updates."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll