Slashdot Mirror

Check out Steve's SecurityNow! podcast 41
  to hear why & more about it:

        http://media.grc.com/sn/SN-041.mp3

  For slow modem users, here's the transcript:

        http://www.grc.com/sn/SN-041.pdf

  A list of his other podcasts:

        http://securitynow.info/

Well now ... aren't you a fucking wizard. I bet you went to ITT Tech or Univ. of Phoenix. I have a better idea. Use an OS that doesn't suck (I prefer OS X .. but to each his own. There are other options).

Typical anti-Microsoft knee-jerk reaction. You must be a fan of Apple in spite of their almost non-existant market share.

The only 3 options that currently matter....

Linux - Great for server boxen and computer networking but insn't quite 'consumer grade' yet. I hear Linux installations are a pain to use unless you get one of the 'Windowslike' distros that have easy setup/installation routines.

OS X - A great, rather secure OS based on UNIX. Too bad only artistes use it like gangbusters--not the general public who just want to play games or manage their finances on their computer. Has tiny market share compared to....

Windows - Buggy, kludged for 'backwards compatibility' with earlier versions of DOS/Windows, and insecure, it's only strengths are ease of use and dominant market share.

The best idea would be to write a secure, efficient OS from the ground up. Can you do that? I could as I have enough knowledge of x86 BIOS, x86 assembler, and C to try. However, I don't have the time to spare to even make the attempt. And even if I did and finished it, it would probably be a 'hobby OS' like Linux was before big companies like IBM 'got behind it'....

Systems programming is not for the faint of heart!

It should only be attempted by people like Steve Gibson who writes all his Windows programs in 100% assembly language!

Well now ... aren't you a fucking wizard. I bet you went to ITT Tech or Univ. of Phoenix. I have a better idea. Use an OS that doesn't suck (I prefer OS X .. but to each his own. There are other options).

Typical anti-Microsoft knee-jerk reaction. You must be a fan of Apple in spite of their almost non-existant market share.

The only 3 options that currently matter....

Linux - Great for server boxen and computer networking but insn't quite 'consumer grade' yet. I hear Linux installations are a pain to use unless you get one of the 'Windowslike' distros that have easy setup/installation routines.

OS X - A great, rather secure OS based on UNIX. Too bad only artistes use it like gangbusters--not the general public who just want to play games or manage their finances on their computer. Has tiny market share compared to....

Windows - Buggy, kludged for 'backwards compatibility' with earlier versions of DOS/Windows, and insecure, it's only strengths are ease of use and dominant market share.

The best idea would be to write a secure, efficient OS from the ground up. Can you do that? I could as I have enough knowledge of x86 BIOS, x86 assembler, and C to try. However, I don't have the time to spare to even make the attempt. And even if I did and finished it, it would probably be a 'hobby OS' like Linux was before big companies like IBM 'got behind it'....

Systems programming is not for the faint of heart!

It should only be attempted by people like Steve Gibson who writes all his Windows programs in 100% assembly language!

Check out the Security Now Podcast or transcript http://www.grc.com/securitynow.htm http://www.grc.com/sn/SN-018.htm Episode 18 and 19 is about Hamachi.

Check out the Security Now Podcast or transcript http://www.grc.com/securitynow.htm http://www.grc.com/sn/SN-018.htm Episode 18 and 19 is about Hamachi.

Look, I don't have the energy to put up a defense of WPA insted of MAC-filtering, simply because it's so ridiculos to do, so I'll just point you to a fun little resource: The Security Now podcast has some great introductions to network security. In episode 11 they explain why WEP and MAC-address filtering sucks. If you want all the details, you can go there. Episode 13 explains why WPA is a quadrillion time better.

Using MAC-address filter is just a plain waste of time and energy.

Look, I don't have the energy to put up a defense of WPA insted of MAC-filtering, simply because it's so ridiculos to do, so I'll just point you to a fun little resource: The Security Now podcast has some great introductions to network security. In episode 11 they explain why WEP and MAC-address filtering sucks. If you want all the details, you can go there. Episode 13 explains why WPA is a quadrillion time better.

Using MAC-address filter is just a plain waste of time and energy.

He's also the guy who wrote his own IIRC app from the RFC in order to back-track some script kiddies. His article about the DoS attack on his site is interesting reading:

http://www.grc.com/dos/grcdos.htm

Nearly 5 years ago, the great and all knowing Steve Gibson predicted that the raw sockets in Windows XP would allow packet spoofing that would bring down the internet with unstoppable DOS attacks.

So it must be true.

How does Bonjour compare to Univeral Plug-n-Play (besides probably being more secure, given UPnP's reputation)?

UPnP is insecure because of its reputation? Aside from a little bit of GRC grand-standing, UPnP is perfectly safe (with normal precautions you'd take for anything network-related, of course). Sure, there were a few flaws in Microsoft's implementation of a UPnP IGD (Internet Gateway Device) for use in conjunction with ICS (Internet Connection Sharing, or "NAT" as the rest of us know it), which is something you probably shouldn't use anyway (consumer-grade routers have better connection sharing). Enabling UPnP on your router for use with UPnP-aware applications like Xbox Live, MSN Messenger, Azureus, Media Center Extenders, etc, is perfectly safe. If you use a Linux box as a NAT router, you can even install an IGD daemon for Linux (of course, you'll want to make sure it's not broadcasting on your public interface).

Others have mentioned that Rendevous/Bonjour is not a competitor to UPnP. I'm talking about the perceived threat of UPnP, and the unfortunate damage that idiot GRC did five years ago by spouting off about crap he didn't understand.

At any rate, while most of the messages from it have been broken long ago, some are only coming to light today using mass computing power.

Use a good encryption, and you'll be safe 'till the sun eats us.

For more good info on encryption, check out Steve Gibson and Leo Laport's Podcast, Security Now!, with special care taken to listen to episodes 30 through 35.

http://www.evernote.com/en/

First learned of it on the Wacom drawing tablet mailing list and now could not survive without it. Endless stream of virtual paper with auto-dating and auto-categorization, all searchable. Plop in pictures, typed notes, swaps from clipboard, live weblinks, quoted text or images from websites which retain the connection. Pony for the quite reasonable paid version and write directly into it with your drawing tablet or tablet PC and get that converted on the fly to searchable text.

http://grc.com/spinrite.htm/

Spinrite has been the most amazing hardware maintainance ap bar none for...gosh. Pushing two decades. I'll never forget watching it change my RLL drive's interleave w/o formatting in ~1988. Now that Mac users are on commodity hardware they can use it for their disks without yanking them from the boxes. Not free but worth every last cent. Sales of Spinrite also pay for all the free security aps its creator offers.

Me, I'm waiting for easy OSX on non-Apple hardware. Somehow I don't see Apple helping us with that....

Sorry, but that is pure FUD. WPA-PSK is not "abysmally weak". WEP is "abysmally weak". You cannot, in any reasonable length of time, brute force a WPA-PSK key of length any more than 8 characters, especially if they are numbers, capital letters, symbols etc. Heres a hint, go to this password generator, get a key, and you are safe, despite using the ""abysmally weak" WPA-PSK. Do you want to brute-force that? Your 24 character limit is bogus. Try it yourself, make a WPA passphrase, and try brute-forcing it. Just try. Even a simple password, just letters, will NOT be brute forced.

• DOS. Helloooo Q-DOS.
• Windows. Continually evolving ripoff of MacOS and, formerly, OS/2.
• Office. WordStar did Word first, Lotus did Outlook and Excel first, all the rest is fluff and was mostly acquired anyways.
• XBox. Duh.

For convenient podcast downloads for NON-iPod MP3 players, try iTunes + iTunes Agent.

iTunes
http://www.apple.com/itunes/

iTunes Agent - use any MP3 player with iTunes
http://sourceforge.net/forum/forum.php?forum_id=54 9637

My Morning Playlist
Nature Podcast (science journal)
http://www.nature.com/nature/podcast/

NPR 5-minute News Summary
NPR Health & Science
NPR Technology
http://www.npr.org/rss/podcast/podcast_directory.p hp?type=topic

Democracy NOW! (news - better than NPR in some ways)
http://democracynow.org/podcast_help.shtml#feeds

Diggnation (latest general blog news from digg.com)
http://revision3.com/diggnation

This Week in Tech (weekly tech news)
http://twit.tv/podcastinfo

Security Now! (tech/security news)
http://www.grc.com/SecurityNow.htm

President's Weekly Radio Address (comedy)
http://weeklyradioaddress.com/

and I used to listen to Ricky Gervais (comedy), but he charges $$ now.
http://www.rickygervais.com/podcast.php

I believe this may answer your question: http://grc.com/dos/drdos.htm

I believe this may answer your question:

http://grc.com/dos/drdos.htm

this reminds me of an old article over at GRC which covers this subject. interesting read.

Just as long as none of the versions have any of those scary raw sockets.

I wonder what's the logic in disabling raw sockets...

1. Microsoft implements raw sockets, with some efforts to restrict access to them - only Administrators can use them.
2. On XP all users are Administrators by default.
3. Some people point this out, the stupidest being the loudest . ("Full Raw Sockets were created as a potent research tool. They were NEVER INTENDED to be shipped in a mass-market consumer operating system." )
4. Microsoft thinks it's a good idea.

Here's Steve Gibson's reasons for a start.

Now run the test on Windows 95 over dial-up. You will typically have just port 139 open. Then run it on NT 4.0. Now you have port 135 and possibly another port open in addition to port 139. Continue the test on newer versions of Windows. Watch as more and more ports are open by default....

So what am I getting at? With each new version of Windows, you are actually MORE vulnerable to attack than in previous versions. Most of it boils down to how your network is set up. Since dial-up does not require any network card, you tend to be safer on dial-up by a long shot. Not that it's immune to attack, but your avenues of getting hit are drastically reduced.

Anyway, the main reason I stay on dial-up so far is not because of its "better" security, but because of its price. As DSL and cable prices lower, you can bet that more and more people will get hit with attacks, mainly because they never needed to patch their networks in the past.

There are also websites you can visit (Symantec?) that will perform a check on various ports for basic vulnerabilities.

Steve: ...This was not a mistake. This is not buggy code. This was put into Windows by someone. We are never going to know who. We're never going to know - well, actually I'm going to find out when because we're going to know when this appeared because this appeared - I'm guessing this is not in older versions of Windows, which is why this function - or if it is in older versions of Windows, it's done slightly differently. I'm still on the hunt...

Leo: So you're saying intentionally or - Microsoft intentionally put a backdoor in Windows? Is that what you're saying?

Steve: Yes.

Leo: Well, that's a pretty strong accusation. Could this not have been a...

Steve: Well, it's the only conclusion...

Leo: It couldn't have been a mistake?

Steve: I don't see how it could have been a mistake. Again, I'm going to continue to look at it. But from what I've seen now, this had to be deliberate. It was not what we were led to believe.

Leo: ...But let me ask you one more - you're convinced there's no way this could have happened by accident. It can't be a programming error or bad design.

Steve: No. No. I mean, you know, again, this is as much a surprise to me, Leo, as it is to, you know, anyone who hears this. I did not expect to see this....

Now, again, I will know more in a week. I have to say that, you know, I want to call this preliminary. But I don't see any way that this was not something that someone in Microsoft deliberately put into Windows. And, you know, the other thing, too...

Actually, they did. No, Gibsons's original exploit didn't work, but he later modified it in a way that it did work. You can find the code here:

http://www.grc.com/x/news.exe?cmd=article&group=gr c.news.feedback&item=60751&utag=

http://www.grc.com/sn/SN-023.htm

Steve Gibson thought it was a backdoor because he believed that the flaw really only existed since NT 5.0, when it seemed to him the code was changed. Unless you believe NT 5.x is not network ready then your first paragraph is untrue. This point was not made in the article. The transcript of what Steve actually said. I am not saying I think he was correct but just setting the record straight

Actually, what you said about Google enabling SSL using https://gmail.com/ is false! The only GMail URLs I know of which will use a secure connection once logged in are:

• https://mail.google.com/
• https://gmail.google.com/

Be sure to check out "continue" argument in the URLs. It uses plain HTTP for at least these URLs:

• http://gmail.com
• https://gmail.com
• http://www.gmail.com
• https://www.gmail.com
• http://google.com/mail

Don't forget to use SSL if you use GMail RSS feed as well!

I'd like to point out that Steve Gibson (the guy claiming WMF was a backdoor) covered this in his Security Now! podcast episode #19 (search for GMail in transcript transcript). Maybe he isn't that bad after all... and what were the guys at Google thinking?

Actually, what you said about Google enabling SSL using https://gmail.com/ is false! The only GMail URLs I know of which will use a secure connection once logged in are:

• https://mail.google.com/
• https://gmail.google.com/

Be sure to check out "continue" argument in the URLs. It uses plain HTTP for at least these URLs:

• http://gmail.com
• https://gmail.com
• http://www.gmail.com
• https://www.gmail.com
• http://google.com/mail

Don't forget to use SSL if you use GMail RSS feed as well!

I'd like to point out that Steve Gibson (the guy claiming WMF was a backdoor) covered this in his Security Now! podcast episode #19 (search for GMail in transcript transcript). Maybe he isn't that bad after all... and what were the guys at Google thinking?

Read more closely. Where does Microsoft actually say that Gibson is wrong? Gibson claimed that Windows XP would read a .wmf file and begin executing a portion of the data file contents as executable code if a metafile record was encountered with a length of one byte. Since the minimum length of a valid metafile record is 6 bytes, Gibson suggests that the behavior was intentional rather than an accident. Microsoft doesn't actually SAY in their response that any of what Gibson claims is wrong:

Gibson: Except that, when I was pursuing this and finally got it to work, what Windows did when it encountered this Escape function, followed by the SETABORTPROC metafile record, was it jumped immediately to the next byte of code and began to execute it. That is, it was no longer interpreting my metafile records record by record, which is the way metafiles are supposed to be processed.

Microsoft: If you are seeing that you can only trigger it with an incorrect value, it's probably because your SetAbortProc record is the last record in the metafile.

Gibson: It turns out that the only way to get Windows to misbehave in this bizarre fashion is to set the length to one, which is an impossible value. I tried setting it to zero. It didn't trigger the exploit. I tried setting it to two, no effect. Three, no effect. Nothing, not even the correct length. Only one.

Microsoft: The vulnerability can be triggered with correct or incorrect size values.

Even though the Microsoft guy claims he is going to "get rather technical here" he never specifies what he considers an 'incorrect' or 'correct' size value to be. More importantly, he never refutes the claim that a record with a length of one byte would always cause Windows to spawn a new thread and begin executing 'data' as code.

Sorry, those Microsoft marketers again.

So exactly when were they supposed to check it line-by-line as they were adding code that has been in windows for 10 years?

Maybe before they made their claim that this is the safest version of Windows ever.

Seriously, it should've been checked when they added the WMF functionality to Windows, but maybe because it's in assembly language they didn't check it (that was what was hinted at on Ars where Microsoft has some rather vague excuses, none of which answer to Steve's points. Just don't whine about this to Steve Gibson, he lives and breathes in assembly. Not a big deal). Yes granted this was back when security was no big deal. And yes granted, this is a tricky isssue, when the design requirements were are certain way, but the context changed. This is what makes coding a challenge. This was code designed for one way, where they retrofitted it to another use, rather than refactoring. But when you have 16 million lines of code plus...

#1 This is a serious bug.
#2 This is also in production code. Win2k, XP.
#3 Many people don't seem to realize just what the term 'beta' is. Now, I'm not talking about MSFT's standards, they seem to dicker on what a "critical vulnerability" is. But typically, beta software has passed testing and is ready for limited use. Many open source tools languish as beta for years, while being used in production environments. Google seems to follow this practice, I've been using their 'beta' version of gmail.
#4 Not interested? The previous post got over 600 comments. What's your definition of newsworthy? Britney Spears? This is America, this is entertainment. # 5 It's interesting because it illustrates Microsoft's software process, in that this ancient piece of code got swept right in to their latest and greatest, and could very well have been production software, as pointed out it's in XP. This is the reasoning behind Steve Gibson's statement this is a huge benefit of open source (down at the bottom of the interview he states that he's getting interested in open source for this very reason.)

Microsoft is fixing the newer versions of Windows, but not older ones, through some means of a careful definition of "critical vulnerability". But Guilfanov's patch works for earlier versions. The funny thing, and the point about open source, is that Gibson wouldn't have dug into this had there been a patch for all versions. And granted, it isn't as big an issue, with the earlier versions, because of the default settings for opening WMF files. But either way, another muddled and poor showing by Microsoft, but they are definitely improving, because of folks like Gibson, the folks at f-secure, Guilfanov, and this is my main point.

It's been speculated that the WMF vulnerability was there intentionally for whatever reason, or so GRC reported: http://www.grc.com/SecurityNow.htm#22 . Now if it was a rouge programmer or part of MS's plans for world domination, we don't know, but if it was indeed placed there intentionally, it wasn't a bug. If it's not a bug, then of course it would survive the code auditing several times over. Because of the recent discovery of it by the public, of course, MS had to fix it on all OSes, and the Vista patch was just later than the others because it wasn't as critical.

Despite all the speculation that this was a poorly coded Escape/SETABORTPROC routine, it seems there is potential that something far more sinister was afoot! Namely that this was a deliberately coded backdoor and that Microsoft has known about it for years.

The Windows MetaFile Backdoor?

Further testing confirms that the M-Windows 9x code base does not have the problem.

http://www.grc.com/groups/news.feedback:60315

Hmm, wrote a TCP Protocol Impl from scratch. Does he have a big ego? You betcha. Did he, when presented with the fact that some of his ideas weren't original, admit it? Yes. Not like some other Washington-based company, which would've had a flock of lawyers out sooner'n you could spit to file a patent and sue you.

The guy is a massive alarmist and I wouldn't take anything he says seriously. He loves to cry about the end of the digital world type scenarios, perhaps because he really believes it, or perhaps because it gets him more business.

Yeah, like when he said Microsoft's security isn't very good, and told them the issues with their raw sockets. After much howling and whining, XP "service" pack 2 removes the functionality. Hate to say, but this guy is a respected programmer and a serious Windows programmer.

(disclaimer - fictional scenario)

Steve: Hey Microsoft! Raw sockets are stupid!

Microsoft: Shut up and Go away.
Steve: Hey Slashdot! Microsoft doesn't care about security!
Microsoft: Steve is an alarmist! Check out QRCSux! Our stuff is like fort knox! Besides, it's the problem of the code, it's hackers who are the bad guys! [months later Microsoft goes back to Redmond, fixes code, costing them a pretty penny, and infuriating customers with massive, buggy patches. business as usual.]

Ah, GRCSUcks, that sounds like a very credible and authoritative site, and judging by the few scraggly articles - just so. Even has some links to Microsoft, where they say everything is hunky dory and Steve is wrong, they are experts on security and brilliant, our OS is hacker proof, XP is the best and most secure OS ever. Uh, yea.. And yet, they did patch their system. Gee, ever think if MSFT just got of their high horse and listened to this guy, he wouldn't have to be an alarmist, but that's apparently the only way you can get the elephant to budge.

If I remember correctly, Steve was briefly famous for claiming the sky was falling based on some changes to how Windows XP was being architected to handle sockets. The hacker community came back around and roasted this guy.

Uh, get a clue, this guy is the hacker. And Microsoft ended up fixing their own code so yeah, guess that really proves this guy is a nut ... NOT.

He's an 'interesting' fellow. Thanks for the security community flashback, Slashdot! It's been a long time since I thought about happyhacker, antionline, grc and the like. :)

No problem. Now I guess you should get busy and patch your system... or maybe you run Linux ;)

Ok, so you don't think DOS is serious? Or the MS Blaster worm? Cuz he was one of the guys to squawk about this, and Microsoft did come out with a patch. Why do folks defend Microsoft? Are you worried that they might lose money fixing their code? I mean, what's the deal people?

He loves to cry about the end of the digital world type scenarios, perhaps because he really believes it, or perhaps because it gets him more business.

What end of the world scenario? Care to print a link. Yeah, like got any evidence, any source for your statement? Just curious.

Now if you're talking about Microsoft's lousy security, and that Gibson thinks Microsoft should fix their crap, well, you got that right. Further, thing of it is, the U.S. is not very serious about cyberwarfare, but China is. And someday you might want to thank people like Gibson.

Hardly. He gives thorough reasoning behind his argument. Yes, it was unintentional if you believe a bunch of monkees tapping on computers wrote the Windows OS. On the other hand, if someone wrote the code, this was not a bug, it's a feature. I like to call it a "Buffer Overrun On Purpose" or something like that.

The whole Escape/SetAbortProc vulnerability is built around some (admittedly stupid) functionality in WMF files. WMF files have the ability to set an application callback function for an abort condition.

It's very simple, really. This record makes no sense in a WMF file. Requires an impossible value? Microsoft didn't want to fix it? It even creates another thread? C'mon, end of story.

So I'd be really interested why his very substantiated claim, you say is wildly unsubstantiated. Simply don't believe it? Better yet, I don't really care. Steve Gibson (read his stuff on DOS) has credibility. Lowly Slashdot kiddie? I not care. Whatever, now go back to patching your Windows box.

I've no idea what SuperSystemDefender is, never heard of it. He sells SpinRite, a commercial product for system restore and recovery, written entirely in assembly, and it's , been selling it for years, in fact I used it since Win 3.0. Read the reviews - it's an excellent product. He does have a bunch of freeware programs available on his site to test your Windows security. Free, not shareware. He even recommends ZoneAlarm, as one of the few decent firewalls.

As far as hype, I think you're confusing hype, like Microsoft hyping Vista, with real security issues, such as DOS (Denial Of Service). Since when is this hype? I'm curious. Gibson makes alot of squawking, but he backs it up. He found issues with Microsoft's raw sockets, and they took it out in SP2 - that was fairly important security fix, wasn't it? I'm curious how that's bomb throwing, when Microsoft went and fixed it. [What I'm really curious about is why folks get so defensive about Microsoft and security. Why attack the whistleblower?] If that's hype, well, more power to the guy. If it helps him sell a few copies of SpinRite, or get a few visitors to his excellent site, so what? I could think of worse things - like spreading FUD, say. Or like selling a product full of security holes, taking a long time to fix them, and furthermore, sometimes not even fixing them.

I've no idea what SuperSystemDefender is, never heard of it. He sells SpinRite, a commercial product for system restore and recovery, written entirely in assembly, and it's , been selling it for years, in fact I used it since Win 3.0. Read the reviews - it's an excellent product. He does have a bunch of freeware programs available on his site to test your Windows security. Free, not shareware. He even recommends ZoneAlarm, as one of the few decent firewalls.

As far as hype, I think you're confusing hype, like Microsoft hyping Vista, with real security issues, such as DOS (Denial Of Service). Since when is this hype? I'm curious. Gibson makes alot of squawking, but he backs it up. He found issues with Microsoft's raw sockets, and they took it out in SP2 - that was fairly important security fix, wasn't it? I'm curious how that's bomb throwing, when Microsoft went and fixed it. [What I'm really curious about is why folks get so defensive about Microsoft and security. Why attack the whistleblower?] If that's hype, well, more power to the guy. If it helps him sell a few copies of SpinRite, or get a few visitors to his excellent site, so what? I could think of worse things - like spreading FUD, say. Or like selling a product full of security holes, taking a long time to fix them, and furthermore, sometimes not even fixing them.

Gibson is a bomb thrower

Agreed, this is simply an act of self promotion. Whilst Steve Gibson is plainly a smart guy and a skilled programmer, he is also very much of a "bomb thrower". I still remember the noise he made about raw sockets in WinXP (and continues to in fact).

There is no doubt in my mind that he has simply stolen this particular bandwagon, after all where is the proof?

You obviously did not RTFA or you would know that he isn't sure of himself- he has only worked/looked at this a total of one day and happened to bring it up on the podcast, He has a;lso stated NUMEROUS times that it SEEMS to be a bacvkdoor, but until he has a chance to work at this longer to find out- it appears to him to have no toher function he can see AT THIS TIME. (no, I am not going to link to these statements- RTFA!). Second, you must not have put any effort into finding his tool- it took me about 30 seconds to find the link to it- since you are so web challenged, here is the tool:(http://www.grc.com/sn/notes-022.htm) How any of you calling Steve "bombthrower" (and similar) got modded anything other than flamebait or troll is beyond me- obvious from your comments you did not RTFA and the /. modders are not paying attention I guess.

Furthermore, if Gibson is so sure of himself, why isn't his own test utility available to everyone?

Eh? I just downloaded it, it's linked to from here.

Having read the whole thing, I do think that Steve may be jumping to conclusions a bit too quickly.

I think that we ARE talking about the SETABORTPROC vuln that everyone has been talking about; Steve just finds that the vuln doesn't work quite the same way that he was expecting. It seems that Steve is basing his accusation on the fact that he had to set the length field of the code containing WMF record to 1 (an illegal value) in order to get his code to execute. While this seems odd (and sounds like a "magic value"), there is likely a better explanation. Here's one possibility... The advisory from Secunia at http://secunia.com/advisories/18255/ says that the embedded code executes when any error is detected in parsing the WMF file (not only [or ever?] when canceling printing). Maybe the SETABORTPROC function was originally intended for printing but was overloaded to handle parse error callbacks? Depending on how the parsing code was written, it may treat the invalid length value as such a parsing error, but may have already indexed the the beginning of the code block (since it knows the length of the record header) - it just doesn't know when the code block ends. It can then start executing the code block, even though it is an error in the code block's record that caused the error. I wonder if the code block would execute if the correct length was specified but the NEXT record in the WMF contained a similar error (like an invalid length field).

He may very well be correct that someone has intentionally included this mechanism as a backdoor, but he is being premature in making such claims without first consulting the people who have a lot more experience with this vuln than he does. By the way, MS gives access to their source code to a LOT of outside parties - I'm sure that Steve could have found someone to take a look for him.

I don't mean to make an ad hominem attack (this podcast is actually fairly accurate - just jumps to conclusions), but Steve isn't exactly known for being a respected researcher in the security industry - he's a bit of a poser and sensationalist/alarmist. My gut feel is that Steve is continuing on his sensationalist streak, jumping to conclusions and trying to drum up more excitement. He frequently hypes issues to crazy levels and tries to make himself look like a hero/expert. In fact, he usually offers little insight and often tries to pass off regurgitation (often inaccurate) as original research. Just listen to him in this recording talking about "rolling up his sleeves" and "wrote all my own code", etc. Look up his stuff on nano-probes (http://grc.com/np/np.htm) for some funny stuff. I am a security professional and can tell you that much of his writing is BS and/or hyped/obfuscated wording for technologies and techniques that have been in common usage for years and years before he writes about them. I just can't help but take Steve's claims with a grain of salt.

KnockKnock.exe is linked on the notes page for that particular show:

http://www.grc.com/sn/notes-022.htm

Here is the episode index for the series, with the relevant show (#22) on top. It's a 40-minute long show, and should be a very interesting listen for most developers. Others may get bored.

http://www.grc.com/securitynow.htm

The notes link is the image-looking icon in the list of icons for each show.

KnockKnock.exe is linked on the notes page for that particular show:

http://www.grc.com/sn/notes-022.htm

Here is the episode index for the series, with the relevant show (#22) on top. It's a 40-minute long show, and should be a very interesting listen for most developers. Others may get bored.

http://www.grc.com/securitynow.htm

The notes link is the image-looking icon in the list of icons for each show.

I don't recall if he mentioned that he was making the actual code available but since it follows the basic idea behind Ilfak's vulnerability test http://www.hexblog.com/index.html. You could probably dig up more information from that point.