1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Web Attack: WMF Metahdr FileSize Int. Overflow

Web Attack: WMF Metahdr FileSize Int. Overflow

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.


This signature detects attempts to exploit an integer overflow vulnerability by sending a malformed WMF file.

Additional Information

Microsoft Internet Explorer supports the Windows Metafile (WMF) image format. WMF is a 16-bit image format that contains vector and bitmap information.

Microsoft Internet Explorer is affected by an unspecified memory-corruption vulnerability. This issue is allegedly due to an integer-overflow flaw that leads to corrupted heap memory.

This problem presents itself when a user views a malicious WMF-formatted file containing specially crafted data.

This issue allows remote attackers to execute arbitrary machine code in the context of the affected application. Failed exploitation attempts likely result in crashing the application.

As with previous WMF-related issues, a remote attacker may exploit this issue through any means that would allow the attacker to transmit the malicious image to a user, including via a malicious website and HTML email. User interaction is likely required in remote attack scenarios.

As with other vulnerabilities related to the WMF format, note that viewing a malicious file in Internet Explorer may automatically trigger this issue. An attacker may name a malicious WMF file using other common picture file extensions such as '.gif', '.jpg', '.png', '.tif' to trigger this issue.


  • Avaya DefinityOne Media Servers R10, R11, R12, R6, R7, R8, R9
  • Avaya IP600 Media Servers R10, R11, R12, R6, R7, R8, R9
  • Avaya Modular Messaging (MAS)
  • Avaya S8100 Media Servers R10, R11, R12, R6, R7, R8, R9
  • Avaya Unified Communications Center S3400
  • Microsoft Internet Explorer 5.0.1 SP4, 5.5 SP2
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows 98
  • Microsoft Windows 98SE
  • Microsoft Windows ME
  • Microsoft Windows NT Server 4.0 SP6a
  • Nortel Networks Contact Center
  • Nortel Networks IP Address Domain Manager
  • Nortel Networks IP softphone 2050
  • Nortel Networks MCS 5100 3.0
  • Nortel Networks MCS 5200 3.0
  • Nortel Networks Optivity Telephony Manager TM-CS1000
  • Nortel Networks Self-Service Media Processing Server
  • Nortel Networks Self-Service Peri IVR
  • Nortel Networks Self-Service Peri NT Server


Microsoft has released advisory MS06-004 to address this issue. Please see the referenced advisory for further information.

Avaya has released an advisory to identify vulnerable products. They recommend that users apply patches released by Microsoft.

Microsoft Internet Explorer 5.0.1 SP4:
Microsoft Hotfix Cumulative Security Update for Internet Explorer (910620)

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube