Windows Metafile

Windows Metafile
Filename extension .wmf, .emf, .wmz, .emz
Internet media type image/x-wmf, image/x-emf
Developed by Microsoft
Type of format Image file formats

Windows Metafile (WMF) is a graphics file format on Microsoft Windows systems, originally designed in the 1990s. Windows Metafiles are intended to be portable between applications and may contain both vector graphics and bitmap components.

Essentially, a WMF file stores a list of function calls that have to be issued to the Windows Graphics Device Interface (GDI) layer to display an image on screen. Since some GDI functions accept pointers to callback functions for error handling, a WMF file may erroneously include executable code.[1]

WMF is a 16-bit format introduced in Windows 3.0. It is the native vector format for Microsoft Office applications such as Word, PowerPoint, and Publisher.

In 1993, the 32-bit version of Win32/GDI introduced the Enhanced Metafile (EMF), a newer version with additional commands. EMF is also used as a graphics language for printer drivers. Microsoft recommends that "Windows-format" (WMF) functions only "rarely" be used and "enhanced-format" (EMF) functions be used instead.[2]

With the release of Windows XP, the Enhanced Metafile Format Plus Extensions (EMF+) format was introduced. EMF+ provides a way to serialize calls to the GDI+ API in the same way that WMF/EMF stores calls to GDI.

There are also compressed versions of Windows Metafiles known as Compressed Windows Metafile (WMZ) and Compressed Windows Enhanced Metafile (EMZ).[3]

Contents

Specifications and patents

The original 16 bit WMF file format was fully specified in volume 4 of the 1992 Windows 3.1 SDK documentation[4] (at least if combined with the descriptions of the individual functions and structures in the other volumes), but that specification (like most computer manuals) was vague about a few details. These manuals were published as printed books available in bookstores with no click through EULA or other unusual restrictions (just a general warning that if purchased as part of a software bundle, the software would be subject to one).

Over time the existence of that historic specification was largely forgotten and some alternative implementations resorted to reverse engineering to figure out the file format from existing WMF files, which was difficult and error prone.[5] In September 2006, Microsoft again published the WMF file format specification[6] in the context of the Microsoft Open Specification Promise, promising to not assert patent rights to file format implementors.[7]

Windows Metafile vulnerability

In December 2005, a vulnerability was reported to Microsoft by Symantec. By using a metafile to invoke a historic form of some printer management functions, Windows GDI could be tricked into executing data from the WMF file as code. It was assessed and classified as critical. This vulnerability was resolved in a security update on January 5, 2006 on Microsoft TechNet (MS06-001) and generally released January 10, 2006. Details can be found in Microsoft Knowledge Base Article "Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution" (912919). It was also referred to as the WMF (Windows Meta File) vulnerability.

Security expert Steve Gibson did a thorough analysis of the WMF vulnerability and reached the conclusion that it had been included intentionally by Microsoft as a "backdoor" for whatever reason. Hence, the idea that hackers used a bug is erroneous. What hackers did was just discover existing but - thus far - undisclosed functionality. The discovery was presented in issue 22 of Security Now.[8] This claim has been challenged by Microsoft employee and Windows expert Mark Russinovich.[9]

Alternative implementations

The WMF format was designed to be executed by the Windows GDI layer in order to restore the image, but as the WMF binary files contain the definition of the GDI graphic primitives that constitute this image, it is possible to design alternative libraries that render WMF binary files, or convert them into other graphic formats. For example, the Batik library is able to render WMF files and convert them to their Scalable Vector Graphics (SVG) equivalent. The Vector Graphics package of the FreeHEP Java library allows the saving of Java2D drawings as EMF files. EMZ is an EMF file compressed with gzip.

See also

References

External links