RE: Are Office document files also an attack vector for the.WMF flaw?

["Larry Seltzer" <larry () larryseltzer com>]

> > I suspect that a booby-trapped .WMF file can be embedded in Office files
(Word, Excel, PowerPoint, ....) and will auto-execute when a document file
is opened.   

There's a line about this in Microsoft's advisory
(http://www.microsoft.com/technet/security/advisory/912840.mspx): "Windows
Metafile (WMF) images can be embedded in other files such as Word documents.
Am I vulnerable to an attack from this vector?
No. While we are investigating the public postings which seek to utilize
specially crafted WMF files through IE, we are looking thoroughly at all
instances of WMF handling as part of our investigation. While we're not
aware of any attempts to embed specially crafted WMF files in, for example
Microsoft Word documents, our advice is to accept files only from trusted
source would apply to any such attempts."

OK, starts out with an emphatic "No" and then wooses out. Any new info on
this?

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
larryseltzer () ziffdavis com 



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.