Windows Metafile
Encyclopedia
Windows Metafile is a graphics file format
on Microsoft Windows
systems, originally designed in the 1990s. Windows Metafiles are intended to be portable between applications and may contain both vector graphics
and bitmap
components.
Essentially, a WMF file stores a list of function calls that have to be issued to the Windows Graphics Device Interface
(GDI) layer to display an image on screen. Since some GDI functions accept pointers to callback function
s for error handling, a WMF file may erroneously include executable code.
WMF is a 16-bit
format introduced in Windows 3.0
. It is the native vector format
for Microsoft Office
applications such as Word
, PowerPoint
, and Publisher
.
In 1993, the 32-bit
version of Win32/GDI introduced the Enhanced Metafile (EMF), a newer version with additional commands. EMF is also used as a graphics language for printer drivers.
With the release of Windows XP
, the Enhanced Metafile Format Plus Extensions (EMF+) format was introduced. EMF+ provides a way to serialize calls to the GDI+ API in the same way that WMF/EMF stores calls to GDI.
There are also compressed versions of Windows Metafiles known as Compressed Windows Metafile (WMZ) and Compressed Windows Enhanced Metafile (EMZ).
Over time the existence of that historic specification was largely forgotten and some alternative implementations resorted to reverse engineering to figure out the file format from existing WMF files, which was difficult and error prone. In September 2006, Microsoft again published the WMF file format specification in the context of the Microsoft Open Specification Promise
, promising to not assert patent rights to file format implementors.
by Symantec
. By using a metafile to invoke a historic form of some printer management functions, Windows GDI could be tricked into executing data from the WMF file as code. It was assessed and classified as critical. This vulnerability was resolved in a security update on January 5, 2006 on Microsoft TechNet (MS06-001) and generally released January 10, 2006. Details can be found in Microsoft Knowledge Base Article "Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution" (912919). It was also referred to as the WMF (Windows Meta File) vulnerability.
Security expert Steve Gibson did a thorough analysis of the WMF vulnerability and reached the conclusion that it had been included intentionally by Microsoft as a "backdoor" for whatever reason. Hence, the idea that hackers used a bug is erroneous. What hackers did was just discover existing but - thus far - undisclosed functionality. The discovery was presented in issue 22 of Security Now. This claim has been challenged by Microsoft employee and Windows expert Mark Russinovich
.
, but as the WMF binary files contain the definition of the GDI graphic primitives that constitute this image, it is possible to design alternative libraries that render WMF binary files, or convert them into other graphic formats. For example, the Batik
library is able to render WMF files and convert them to their Scalable Vector Graphics
(SVG) equivalent. The Vector Graphics package of the FreeHEP
Java library allows the saving of Java2D drawings as EMF files. EMZ is an EMF file compressed with gzip
.
Image file formats
Image file formats are standardized means of organizing and storing digital images. Image files are composed of either pixels, vector data, or a combination of the two. Whatever the format, the files are rasterized to pixels when displayed on most graphic displays...
on Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
systems, originally designed in the 1990s. Windows Metafiles are intended to be portable between applications and may contain both vector graphics
Vector graphics
Vector graphics is the use of geometrical primitives such as points, lines, curves, and shapes or polygon, which are all based on mathematical expressions, to represent images in computer graphics...
and bitmap
Bitmap
In computer graphics, a bitmap or pixmap is a type of memory organization or image file format used to store digital images. The term bitmap comes from the computer programming terminology, meaning just a map of bits, a spatially mapped array of bits. Now, along with pixmap, it commonly refers to...
components.
Essentially, a WMF file stores a list of function calls that have to be issued to the Windows Graphics Device Interface
Graphics Device Interface
The Graphics Device Interface is a Microsoft Windows application programming interface and core operating system component responsible for representing graphical objects and transmitting them to output devices such as monitors and printers....
(GDI) layer to display an image on screen. Since some GDI functions accept pointers to callback function
Callback (computer science)
In computer programming, a callback is a reference to executable code, or a piece of executable code, that is passed as an argument to other code. This allows a lower-level software layer to call a subroutine defined in a higher-level layer....
s for error handling, a WMF file may erroneously include executable code.
WMF is a 16-bit
16-bit
-16-bit architecture:The HP BPC, introduced in 1975, was the world's first 16-bit microprocessor. Prominent 16-bit processors include the PDP-11, Intel 8086, Intel 80286 and the WDC 65C816. The Intel 8088 was program-compatible with the Intel 8086, and was 16-bit in that its registers were 16...
format introduced in Windows 3.0
Windows 3.0
Windows 3.0, a graphical environment, is the third major release of Microsoft Windows, and was released on 22 May 1990. It became the first widely successful version of Windows and a rival to Apple Macintosh and the Commodore Amiga on the GUI front...
. It is the native vector format
Vector graphics
Vector graphics is the use of geometrical primitives such as points, lines, curves, and shapes or polygon, which are all based on mathematical expressions, to represent images in computer graphics...
for Microsoft Office
Microsoft Office
Microsoft Office is a non-free commercial office suite of inter-related desktop applications, servers and services for the Microsoft Windows and Mac OS X operating systems, introduced by Microsoft in August 1, 1989. Initially a marketing term for a bundled set of applications, the first version of...
applications such as Word
Microsoft Word
Microsoft Word is a word processor designed by Microsoft. It was first released in 1983 under the name Multi-Tool Word for Xenix systems. Subsequent versions were later written for several other platforms including IBM PCs running DOS , the Apple Macintosh , the AT&T Unix PC , Atari ST , SCO UNIX,...
, PowerPoint
Microsoft PowerPoint
Microsoft PowerPoint, usually just called PowerPoint, is a non-free commercial presentation program developed by Microsoft. It is part of the Microsoft Office suite, and runs on Microsoft Windows and Apple's Mac OS X operating system...
, and Publisher
Microsoft Publisher
Microsoft Publisher is a desktop publishing application from Microsoft. It is an entry-level application, differing from Microsoft Word in that the emphasis is placed on page layout and design rather than text composition and proofing...
.
In 1993, the 32-bit
32-bit
The range of integer values that can be stored in 32 bits is 0 through 4,294,967,295. Hence, a processor with 32-bit memory addresses can directly access 4 GB of byte-addressable memory....
version of Win32/GDI introduced the Enhanced Metafile (EMF), a newer version with additional commands. EMF is also used as a graphics language for printer drivers.
With the release of Windows XP
Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
, the Enhanced Metafile Format Plus Extensions (EMF+) format was introduced. EMF+ provides a way to serialize calls to the GDI+ API in the same way that WMF/EMF stores calls to GDI.
There are also compressed versions of Windows Metafiles known as Compressed Windows Metafile (WMZ) and Compressed Windows Enhanced Metafile (EMZ).
Specifications and patents
The original 16 bit WMF file format was fully specified in volume 4 of the 1992 Windows 3.1 SDK documentation (at least if combined with the descriptions of the individual functions and structures in the other volumes), but that specification (like most computer manuals) was vague about a few details. These manuals were published as printed books available in bookstores with no click through EULA or other unusual restrictions (just a general warning that if purchased as part of a software bundle, the software would be subject to one).Over time the existence of that historic specification was largely forgotten and some alternative implementations resorted to reverse engineering to figure out the file format from existing WMF files, which was difficult and error prone. In September 2006, Microsoft again published the WMF file format specification in the context of the Microsoft Open Specification Promise
Microsoft Open Specification Promise
The Microsoft Open Specification Promise , is a promise by Microsoft, published in September 2006, to not assert legal rights over certain Microsoft patents on implementations of an included list of technologies....
, promising to not assert patent rights to file format implementors.
Windows Metafile vulnerability
In December 2005, a vulnerability was reported to MicrosoftMicrosoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
by Symantec
Symantec
Symantec Corporation is the largest maker of security software for computers. The company is headquartered in Mountain View, California, and is a Fortune 500 company and a member of the S&P 500 stock market index.-History:...
. By using a metafile to invoke a historic form of some printer management functions, Windows GDI could be tricked into executing data from the WMF file as code. It was assessed and classified as critical. This vulnerability was resolved in a security update on January 5, 2006 on Microsoft TechNet (MS06-001) and generally released January 10, 2006. Details can be found in Microsoft Knowledge Base Article "Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution" (912919). It was also referred to as the WMF (Windows Meta File) vulnerability.
Security expert Steve Gibson did a thorough analysis of the WMF vulnerability and reached the conclusion that it had been included intentionally by Microsoft as a "backdoor" for whatever reason. Hence, the idea that hackers used a bug is erroneous. What hackers did was just discover existing but - thus far - undisclosed functionality. The discovery was presented in issue 22 of Security Now. This claim has been challenged by Microsoft employee and Windows expert Mark Russinovich
Mark Russinovich
Mark E. Russinovich is a Technical Fellow in the Platform and Services Division at Microsoft. He was a cofounder of software producers Winternals before it was acquired by Microsoft in 2006.-Early life and education:...
.
Alternative implementations
The WMF format was designed to be executed by the Windows GDI layer in order to restore the imageImage
An image is an artifact, for example a two-dimensional picture, that has a similar appearance to some subject—usually a physical object or a person.-Characteristics:...
, but as the WMF binary files contain the definition of the GDI graphic primitives that constitute this image, it is possible to design alternative libraries that render WMF binary files, or convert them into other graphic formats. For example, the Batik
Batik (software)
Batik is a pure-Java library that can be used to render, generate, and manipulate SVG graphics. IBM supported the project and then donated the code to the Apache Software Foundation, where other companies and teams decided to join efforts.Batik provides a set of core modules that provide...
library is able to render WMF files and convert them to their Scalable Vector Graphics
Scalable Vector Graphics
Scalable Vector Graphics is a family of specifications of an XML-based file format for describing two-dimensional vector graphics, both static and dynamic . The SVG specification is an open standard that has been under development by the World Wide Web Consortium since 1999.SVG images and their...
(SVG) equivalent. The Vector Graphics package of the FreeHEP
FreeHEP
FreeHEP is an open source Java library designed to make programming high energy physics applications easier. While the name and main focus of the project is high energy physics, many self-contained APIs in the library are generic and suitable for non-physics applications.FreeHEP is distributed...
Java library allows the saving of Java2D drawings as EMF files. EMZ is an EMF file compressed with gzip
Gzip
Gzip is any of several software applications used for file compression and decompression. The term usually refers to the GNU Project's implementation, "gzip" standing for GNU zip. It is based on the DEFLATE algorithm, which is a combination of Lempel-Ziv and Huffman coding...
.