1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Windows Explorer WMF File DOS

HTTP Windows Explorer WMF File DOS

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.


This signature detects an attempt to cause a denial of service attack against Windows Explorer with a specially crafted WMF file.

Additional Information

Microsoft Windows Explorer is prone to a denial-of-service vulnerability.n nA remote attacker may exploit this vulnerability by presenting a malicious file to a victim user and enticing them to open it with the vulnerable application. Users that simply browse folders containing the malicious file will also trigger this issue.

Specifically, the vulnerability exists when a maliciously crafted 'WMF' file is processed by the affected application. The 'CreateBrushIndirect' function fails to properly sanitize and validate the parameter 'LOGBRUSH' structure which contains brush information. An attacker can set the 'lbStyle' field inside the 'LOGBRUSH' structure to 'BS_DIBPATTERNPT' and use the 'lbHatch' field as a pointer to an invalid address. This causes a null pointer dereference in GDI32.DLL, crashing the affected application.

A successful exploit will crash the vulnerable application, effectively denying service.

This issue may be related to BID 19365: Microsoft Windows GDI32.DLL WMF Remote Denial of Service Vulnerability.


  • Microsoft Windows Explorer
  • Microsoft Windows XP
  • Microsoft Windows XP 64-bit Edition SP1
  • Microsoft Windows XP 64-bit Edition Version 2003 SP1
  • Microsoft Windows XP Gold
  • Microsoft Windows XP Home SP1, SP2
  • Microsoft Windows XP Media Center Edition SP1, SP2
  • Microsoft Windows XP Professional SP1, SP2
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows XP Tablet PC Edition SP1, SP2


Ensure that all vendor supplied patches have been applied.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube