Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Microsoft Windows Enhanced/Windows Metafile Handling Vulnerability

Feb 24, 2004 11:33PM PST

Secunia Advisory: SA10968
Release Date: 2004-02-25

Critical: Moderately critical
Impact: Privilege escalation
DoS
System access

Where: From remote

OS: Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Description:
A vulnerability has been reported in Windows XP, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to boundary errors (possibly in "shimgvw.dll") when processing Enhanced Metafiles (".emf"). The problem is that memory is allocated based on size information in the file's header.

This can be exploited to cause heap overflows by specifying a "Size" field, which is smaller (e.g. 1 byte) than the actual size of the file and header. The vulnerability will be triggered by either viewing a malicious file or by navigating to a directory, which contains a malicious file and displays it as a thumbnail.

Successful exploitation crashes "explorer.exe" but may reportedly also allow execution of arbitrary code.

NOTE: Windows Metafiles (".wmf") with malformed "Size" fields will also impact functionality somewhat by consuming 99% CPU resources.

Solution:
Grant only trusted users access to affected systems. Don't view untrusted ".emf" files. Don't display the contents of directories as thumbnails.

http://secunia.com/advisories/10968/

Discussion is locked