Windows Metafile (WMF) is a graphics file format on Microsoft Windows systems, originally designed in the early 1990s and not commonly used after the rise of the World Wide Web and the widely used graphics formats such as GIF and JPEG. It is a vector graphics format which also allows the inclusion of raster graphics. Essentially, a WMF file stores a list of function calls that have to be issued to the Windows graphics layer GDI in order to restore the image. Since some GDI functions accept pointers to callback functions for error handling, a WMF file may include executable code. It is somewhat similar in purpose and design to the PostScript format used in the Unix world.
WMF is a 16-bit format introduced in Windows 3.0; a newer 32-bit version with additional commands is called Enhanced Metafile (EMF). EMF is also used as a graphics language for printer drivers.
There are also compressed versions of Windows Metafiles known as Compressed Windows Metafile (WMZ) & Compressed Windows Enhanced Metafile (EMZ).
SetAbortProc exploit[]
- Main article: Windows Metafile vulnerability
Exploits using the "SetAbortProc" GDI function were discovered in December 2005. The function, which registers an error handler normally intended for use when a print job is cancelled during spooling, allows arbitrary code added to a WMF image to be executed without the permission of the user.
Alternative implementations[]
The WMF format was designed to be executed by the Windows graphics layer GDI in order to restore the image, but as the WMF binary files contain the definition of the GDI graphic primitives that constitute this image, it is possible to design alternative libraries that render WMF binary files, or convert them in other graphic formats.
For example, the Batik library is able to render WMF files and convert them to their SVG equivalent. The Vector Graphics package of the FreeHEP Java library allows to save Java2D drawings as EMF files.
Currently, the only programme that directly unpacks EMZ and WMZ files into EMF and WMF files is SpeedCommander 12.