Denial of Service through new WMF hole
A proof of concept exploit that creates a manipulated WMF image has been published on the security mail list Full Disclosure. It causes Explorer to crash when the program processes the image.
The error occurs in the CreateBrushIndirect() function in the GDI32 API. The error was analysed by its discoverer in another posting: it can cause a crash because of a random memory access. The hole does not appear to be capable of allowing malicious code to be planted.
- 0-day XP SP2 wmf exploit, Advisory at Full Disclosure
- 0-day XP SP2 wmf exploit (details), Further details at Full Disclosure