Windows Metafile

Windows Metafile
Filename extension .wmf, .emf, .wmz, .emz
Internet media type image/x-wmf, image/x-emf
Developed by Microsoft
Initial release 1990
Latest release
11
(13 February 2014[1])
Type of format Image file formats
Container for Bitmaps among others
Open format? Microsoft OSP

Windows Metafile (WMF) is an image file format originally designed for Microsoft Windows in the 1990s. Windows Metafiles are intended to be portable between applications and may contain both vector graphics and bitmap components. It acts in a similar manner to SVG files.

Essentially, a WMF file stores a list of function calls that have to be issued to the Windows Graphics Device Interface (GDI) layer to display an image on screen. Since some GDI functions accept pointers to callback functions for error handling, a WMF file may erroneously include executable code.[2]

WMF is a 16-bit format introduced in Windows 3.0. It is the native vector format for Microsoft Office applications such as Word, PowerPoint, and Publisher. As of 2014 revision 11 of the Windows Metafile Format specification is available for online reading or download as PDF.[1]

Specifications and patents

The original 16 bit WMF file format was fully specified in volume 4 of the 1992 Windows 3.1 SDK documentation[3] (at least if combined with the descriptions of the individual functions and structures in the other volumes), but that specification was vague about a few details. These manuals were published as printed books available in bookstores with no click through EULA or other unusual licensing restrictions (just a general warning that if purchased as part of a software bundle, the software would be subject to one).

Over time the existence of that historic specification was largely forgotten and some alternative implementations resorted to reverse engineering to figure out the file format from existing WMF files, which was difficult and error prone.[4] In September 2006, Microsoft again published the WMF file format specification[5] in the context of the Microsoft Open Specification Promise, promising to not assert patent rights to file format implementors.[6]

Variants

In 1993, the 32-bit version of Win32/GDI introduced the Enhanced Metafile (EMF), a newer version with additional commands. EMF is also used as a graphics language for printer drivers. Microsoft recommends that "Windows-format" (WMF) functions only "rarely" be used and "enhanced-format" (EMF) functions be used instead.[7]

With the release of Windows XP, the Enhanced Metafile Format Plus Extensions (EMF+) format was introduced. EMF+ provides a way to serialize calls to the GDI+ API in the same way that WMF/EMF stores calls to GDI.

There are also compressed versions of Windows Metafiles known as Compressed Windows Metafile (WMZ) and Compressed Windows Enhanced Metafile (EMZ).[8]

Vulnerabilities

In December 2005, a vulnerability was reported to Microsoft by Symantec. By using a metafile to invoke a historic form of some printer management functions, Windows GDI could be tricked into executing data from the WMF file as code. It was assessed and classified as critical. This vulnerability was resolved in a security update on January 5, 2006 on Microsoft TechNet (MS06-001) and generally released January 10, 2006. Details can be found in Microsoft Knowledge Base Article "Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution" (912919). It was also referred to as the WMF (Windows Meta File) vulnerability.

Security commentator Steve Gibson analysed the WMF vulnerability and reached the conclusion that it had been included intentionally by Microsoft as a "backdoor".[9] This was denied by Stephen Toulouse, writing officially on behalf of Microsoft,[10] and also by Microsoft employee Mark Russinovich, who explained what he said were several misunderstandings in Gibson's analysis.[11]

Implementations

The WMF format was designed to be executed by the Windows GDI layer in order to restore the image, but as the WMF binary files contain the definition of the GDI graphic primitives that constitute this image, it is possible to design alternative libraries that render WMF binary files, or convert them into other graphic formats. For example, the Batik library is able to render WMF files and convert them to their Scalable Vector Graphics (SVG) equivalent. The Vector Graphics package of the FreeHEP Java library allows the saving of Java2D drawings as Enhanced Metafiles (EMF). Inkscape and XnView can export to WMF or EMF.

See also

References

  1. 1.0 1.1 "[MS-WMF]: Windows Metafile Format". MSDN. 2014-02-13. Retrieved 2014-03-12.
  2. "It's not a bug, it's a feature". F-Secure. Retrieved 2009-10-08.
  3. Microsoft Windows 3.1 Programmers Reference, Volume 4 Resources, Microsoft Press 1992, ISBN 1-55615-494-1, chapter 3 pp. 21-45
  4. Caolan McNamara. "Window Metafile (wmf) Reference". Retrieved 2008-06-01. These opcodes are unimplemented, for the reason that i dont know what they are, no known documentation
  5. "MS-WMF: Windows Metafile Format Specification". Retrieved 2008-06-01.
  6. "Microsoft Open Specification Promise". Retrieved 2008-06-01.
  7. "Windows-Format Metafiles". Microsoft. Retrieved 2011-12-18.
  8. "You receive a "This file is an unsupported graphic format" error message when you try to insert a picture into a PowerPoint for Mac presentation". Microsoft. Retrieved 2008-06-01.
  9. Steve Gibson. "Security Now, Issue #22, The Windows Metafile Backdoor?". Retrieved 2010-06-11. '
  10. http://blogs.technet.com/b/markrussinovich/archive/2006/01/18/inside-the-wmf-backdoor.aspx
  11. "Inside the WMF Backdoor"

External links