Microsoft Windows GRE WMF Format Multiple Memory Overrun
Two new vulnerabilities have been found in the Microsoft Windows
Graphics Rendering Engine (GRE). This is related to the previous
WMF vulnerability but this time it causes Denial of Service (DOS)
and not remote code execution and may also restart the explorer.exe
process. These vulnerabilities can be triggered by viewing
specially crafted .wmf files.
These two new vulnerabilities are not addressed in the MS06-001
Security Update so all products listed below is affected by the
- Microsoft Windows XP SP2
- Microsoft Windows XP SP1
- Microsoft Windows Server 2003 SP1
- Microsoft Windows Server 2003
- Microsoft Windows ME
- Microsoft Windows 98se
- Microsoft Windows 98
- Microsoft Windows 2000 SP4
But, according to Lennart Wistrand of Microsoft, these are just
Windows performance issues and are not really exploitable and do
not allow the attacker to execute arbitrary code nor crash the
underlying affected OS. He also stated that, they have ongoing code
maintenance and will be release on the next service pack of the
Since, there are no patches yet that addresses these bugs, the
workaround for the previous WMF vulnerability is still applicable.
The steps are enumerated below to unregister the Windows Picture
and Fax Viewer (Shimgvw.dll).
- Go to start then click on “Run”
- Type “cmd” or “command” to open the command prompt console
- Type “regsvr32 -u %systemdir%shimgvw.dll” in the command
Two crafted .wmf samples have been out from the internet that
exploit the said vulnerabilities and have been given the detection
names TROJ_WMFCRASH.B and TROJ_WMFCRASH.C.
%systemdir% is usually C:windowssystem (98 and ME) or
C:windowssystem32 (XP) or C:winntsystem32 (2000).