WMF will just not go away!

Just days after Microsoft (Profile, Products, Articles) Corp. patched a critical vulnerability in the way the Windows operating system renders certain types of graphics files, a hacker has published details of two new flaws that affect the same part of the operating system.

The new vulnerabilities were posted to the Bugtraq security mailing list on Monday by a hacker going by the name of “cocoruder.”

All three flaws concern the way Windows renders
images in the Windows Metafile (WMF) format used by some CAD
(computer-aided design) applications, but these latest flaws are far
less serious than the vulnerability that Microsoft patched last week,
according to security experts. That vulnerability was serious enough to
cause Microsoft to take the unusual step of releasing an early patch to
the problem, ahead of its monthly security software update.

Read the full article on InfoWorld.

UPDATE: Microsoft responds on the Microsoft Security Response Blog:

Just to be clear,
the security update accompanying MS06-001 did not include fixes for
these performance issues. Security updates sometimes do include other
fixes, quite often this is a result of the cumulative nature of
development, i.e., it may be that those types of fixes get checked in
to the code tree and then picked up when a file is serviced in that
code branch. However, in order to keep the code churn in security
updates to a minimum we try to avoid, as a general rule, including
other code fixes for performance issues such as this. It may seem
counter-intuitive to not want to improve the code quality whenever
opportunity arises, but the fact is that code churn incurred might have
a negative impact on the quality of the update or yield a need for even
more testing to ensure that we meet the quality bar for security
updates.Service Packs or Update Rollups
are typically the preferred method of servicing software. If a fix for
an issue cannot wait until the next service pack we do consider other
forms of servicing. You can read more about the different servicing
mechanisms and our terminology for these in this article: http://support.microsoft.com/kb/824684

Author: Xavier Ashe

Entrepreneur, Infosec Executive, CISSP, CISM, Ironman triathlete, traveler, UU, paleo, father of 8, goyishe, gamer, & geek. http://linkedin.com/in/xavierashe

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s