Blocking of WMF

Jethro R Binks jethro.binks at
Tue Mar 17 12:18:14 GMT 2009

For a long time we've had the following rule enabled:

# JKF 01/01/2006 Another Microsoft security vulnerability
deny    \.wmf$          Windows Metafile security vulnerability
                        Possible format attack in Windows

More and more we are finding that .WMFs are being discovered in the 
zipfile that MS Office 2007 documents are composed of.  This MS kb article 
alludes to one particular issue relating to "thumbnail.wmf" being 

but we very often see "image1.wmf", "image2.wmf", etc discovered too.

Very often, the sending user is completely oblivious to the presence of 
images in the document (zip file), nor what to do to remove them or save 
them as something else, and at least in the case of the "thumbnail.wmf" 
content, this is something that the application itself has generated 
without the user knowing about it.

So my question is twofold:

1. do other sites have this issue and what do they do about it;

2. is blocking of .WMF justified these days, given that patches for the 
potential vulnerability have been available for many years now.  Is it 
still being actively exploited?

Thoughts welcome,


.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Jethro R Binks
Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK

More information about the MailScanner mailing list