Slashdot Mirror
WMF Vulnerability is an Intentional Backdoor?
An anonymous reader writes "Steve Gibson alleges that the WMF vulnerability in Windows was neither a bug, nor a feature designed without security in mind, but was actually an intentionally placed backdoor. In a more detailed explanation, Gibson explains that the way SetAbortProc works in metafiles does not bear even the slightest resemblance to the way it works when used by a program while printing. Based on the information presented, it really does look like an intentional backdoor." There's a transcript available of the 'Security Now!' podcast where Gibson discusses this.
How about a link to information on the "other" intentional back doors that exist?
Nothing for you to see here. Please move along.
Now there's a feature.
You can't Hack My Gibson.
Is it like a rootkit but placed by microsoft itself ..Grrr.
They called me mad, and I called them mad, and damn them, they outvoted me. -Nathaniel Lee
Its happened before and it will happen again. Whether this is the case remains to be seen.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
Well, how else is the NSA going to fight terrorism?
There was talk about the NSA/CIA having a close relationship with Microsoft and being able to exploit backdoors in Windows. This could have all been conspiracy theories, but the fact that this vulnerability existed throughout the Windows line kinda seems odd..
If this isn't a glaring example on why you should support open source, I don't know what is....
From TFA: You mean user action like...say...opening a web browser?
Anyway, this is freaky interesting, because if this is actually true, it's pure, unvarnished evil. I't a lot like the Allied soldiers who were fighting in Germany, being told all these horror stories about how evil the Nazis actually were, and then coming upon a concentration camp and finding out that these stories were real after all.
Steve makes an excellent case with his diagnosis, but I'd love to see his findings verified by a few other agencies. This is too important to leave to one researcher.
I, for one, am going to be following this story avidly. Any bets on when M$ issues a statement that a 'rogue programmer' put this code in, and disaavow any knowledge or responsibility?
____
~ |rip/\/\aster /\/\onkey
This does look awfully like a special-case trigger. The idea of a backdoor is to have it look for a specifically crafted but completely nonsensical and invalid input sequence -- this serves as the "key" to the backdoor, ensuring that no other designer or user accidentally stumbles onto it. Since we assume that legitimate users and developers will only provide valid input, we design our "key" to be definitely invalid. For me, that length==1 trigger is the most convincing evidence. It's not just that it's the wrong input, it's that it's the one specific value of wrong input that triggers the behavior. That seems like design.
Is Friday the 13th "Tin Foil Hat Day" on /. or what? The number of stories emenating from people that live in caves is unusually high today...
This Steve Gibson ?, yeah he is a real security expert, along with his podcast boy wonder we have much to be afraid of
How about a class-action suit against Microsoft,
on the grounds that they touted the security of their product,
while deliberately including non-security?
Maybe this was for law enforcement or some other agency to track "people of interest."
Yeah, SetAbortProc is used for cancelling print jobs. Here is the MSDN documentation: SetAbortProc
He's the L Ron Hubbard of the computer industry.
Reality is nothing but a collective hunch.
The freakish thing about this, is that if it is indeed a backdoor, it an odd way to go about it. You can't force someone to try to view a WMF. What would its purpose be? You can't use it to get into the exact box you want to, just into a random box that perhaps picks up your WMF from a webpage, or displayed in an application.
That's why they're bugs. Seriously, I don't think the fact that it behaves differently from how it does in a printer is any indication it was deliberately written that way. More likely this was an attempt to disable the code that went wrong.
I am trolling
It's possible to get to the bottom of this by legal means.
I think it's a beneficial back door- in fact, I wouldn't be at all surprised to find that they'll need to update "Windows Update" after all the patches are in place.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
The notion of a backdoor in Windows isn't new. Perhaps the WMF vulnerability was one of the vectors used by Magic Lantern, which was the code word for at least one of the FBI's keylogger programs. Magic Lantern was notable in that antivirus providers participated with the Feebs in a gentleman's agreement to not look for it.
It's certainly a dumb enough solution that the IT-challenged FBI might go for it.
On relative dumbness and smartness, I'd expect smart spies, namely those who work for two other notable three-letter-agencies, to use somewhat more interesting techniques. If it were me, I'd take advantage of equipment I had in place at critical infrastructure points to conduct MITM attacks between a PC and Windows Update servers, in order to transparently install my spookware on only those machines that specifically identify themselves - by means of GUID or whatever other stuff I could glean from the Windows Genuine Advantage and other DRM-related bitstreams - as belonging to my target population.
Paranoid? If you're not paranoid, you're not thinking far enough ahead.
Please remember this is the same Steve Gibson who claims to have invented a new amazing "nanoprobe" technology for port scanning which he claims is a first to the world and can do just about everything. Of course turns out to just be specially crafted TCP packets with no payload, which nmap has done since forever.
The guy is a massive alarmist and I wouldn't take anything he says seriously. He loves to cry about the end of the digital world type scenarios, perhaps because he really believes it, or perhaps because it gets him more business.
I agree with the author that the length prefix is something of a smoking gun. It begs the question of "how do we know it was fixed..." For example, they could change it to execute the datastream when length is set to a new trigger value; or a stronger backdoor would ignore any unsigned code. Still there, but harder to test for.
It's a straightforward way to add a backdoor that will bypass firewalls, etc. It can be triggered by a browsed page, email, etc. It's better than gif/jpeg encoding because those are more "platform independent." and the payload would be more likely noticed by a 3rd party decoder.
On the other hand, isn't this flagged as an attempt to execute code on a data page?
Also, if it were official, doesn't MS have easier ways into a general box - say through security updates, or even the entire existing code base?
Steve Gibson is not a security expert
http://www.grcsucks.com/
I doubt it. There is no way to prove that it was intentional without seeing the source, so it makes more sense for Microsoft to just patch it and make no comment concerning its origins.
M$ is spyware friendly on purpose!! Wow, I always suspected, but now I have proof.
Careful out there.
"Hack the Gibson!"
Did the /. editor(Zonk) not notice that the first link he posted is the same one as the last?
AC's modded -6. I don't see you, I don't mod you, anything you say is lost. Don't like it? Don't be a coward.
I thought the same vulnerability exists in wine?
4 3203
http://it.slashdot.org/article.pl?sid=06/01/06/20
Down at the bottom of the transcript, Steve gives GRC.com/securitynow.htm as a URL where you can grab his test code for this problem (KnockKnock.exe)... but I can't find it there. Can anyone else?
AHHHHHHH! I'm burning with goodness again!
- Reakk, Sluggy Freelance
Isn't this the same Steve Gibson that was freaking out about how Raw Sockets in XP were going to destroy the world a couple of years ago?
/.?
S.G. is a flaming idiot, he looks for (and imagines) ghosts and spooks in every corner. Then flogs his conspiracy theories to promote himself and his buisness. This probably holds about as much water as the "discovery" of cold fusion and Korean human cloning.
Why aren't we reporting on REAL bugs like the 4 security vulnerabilities found in iTunes this week which opens both Windows and Mac users to external attack? Was the Microsoft bashing quota too low this week?
What is becoming of
Contrary to popular belief, coding is not all free blow-jobs and beer. Those things cost MONEY!
Actually, I think Microsoft will go after Gibson's reputation.
HCG 50a = 2MASX J11170638+5455016
11h17m06.4s +54d55m02s
I can't believe it, Jim. That girl's standing over there listening and you're telling him about our back doors?
You guys are so dumb, I'd go straight through Falken's Maze.
I just hope David Lightman isn't reading this... we'd only have a few days until it was all over for us...
Dedicated Cthulhu Cultist since 4523 BC.
This reminds me of something: Somebody finds something that's so strange that it must have been intentional. Anyone else smell something that rhymes with "bintelligent resign?"
Don't attribute to malice anything that can be attributed to stupidity...
It's nothing like that actually, you are comparing apples to supernovas.
~S
here
For me, that length==1 trigger is the most convincing evidence.
I don't think it's surprising that a piece of code might behave in an odd way if it's given invalid input, i.e., if a buffer length is wrong.
I think the real giveaway here is that Windows creates a new thread when presented with this magic length. That's like rolling out the red carpet for the attacking Huns. I don't think the average buffer overflow type exploit gets it's own thread or process.
And of course it's still possible that it was all a mistake. The C language can be used to write some extremely tangled code, if one is so inclined. Something like an incorrectly used setjmp/longjmp could have effects like this.
Yeah, the concept of evil was disproved in the 1960's. We all know that no one is responsible for his actions...
You are in a maze of twisty little passages, all alike.
PJ posted this story over at Groklaw. Many posts replied that, based on this guy's previous record, his accusations are not trustworthy.
Before I believe this story, I want to see independent confirmation by someone I trust.
If it were intentional you'd think they would have been able to patch it a little more quickly.
Who writes an evil backdoor, which dates back to Win3.1 days (when you didn't NEED an evil back door, and Windows had no clue what this Internet thing was about), and then DOCUMENTS it?
Lest we forget that Wine also proved vulnerable, and it was a clean-reimplementation of the specs!
Test your net with Netalyzr
/ignore
http://grcsucks.com/
Through Windows the NSA comes to you.
Damn you to hell!!!
The name means nothing. It's the facts that matter. Whether he is a one-day hacker or some looney, he discovered that for Length==1, (a completely invalid value that makes no sense for WMF's), Windows creates a new thread and starts executing the code.
IMHO your "debunking steve gibson" site is nothing but a smokescreen to divert the attention from Microsoft's vulnerabilities and backdoors.
...one that would search for WMFs that are set up to trigger the Backdoor. Do they exist? Are they on some shady Russian site, or are they on sites run by MS or Govt. agencies?
Once I was a four stone apology. Now I am two separate gorillas.
godamn, I'm so fucking sick and tired of seeing you be modded up in every fucking thread, get a life loser
Of course the NSA has the God given right to ........
examine anything you do, say, eat,
It seems way more likely that some idiot MS-programmer put this in there so he could show his buddies: Hey look what this WMF file can do... and then forgot about it completely.
An essentially non-authenicated exploit which can only be activated by accessing a WMF file (what user or system does that on a reliable basis) would only look like a "backdoor" to a conspiracy theorist (read: Steve Gibson).
Yeah, it's fun to think just how evil Microsoft really is, but I really doubt this is an example of it.
Also, backdoors would be by definition "intentional", no? Just an attempt to make it sound more evil.
I browsed over several posts on his website and come away with the conclusion that he is a few fries short of a Happy Meal. Here's one posting that I found really amusing:
"Thank you Microsoft for blessing us with a patch to fix the products
you currently sell. The products that compete with Linux and Macintosh.
Excellent job at diverting the our attention away from the fact that
Windows 95, Windows 98, Windows 98SE, Windows Millennium Edition, and
Windows NT4 remain vulnerable. Neat trick convincing people that "the
vulnerability is not critical because an exploitable attack vector has
not been identified that would yield a Critical severity rating for
these versions."
Lemme see here. Windows 95 is 11 years old. Windows 98 is 8 years old. Windows ME is 6 years old. And Windows NT4 is 9 years old. How many other operating systems offer patches and support product versions for software that is that old?
Ridiculous.
!ping! Godwin alert!
'If you're flammable and have legs, you are never blocking a fire exit.'
I've posted this once today.
1. Remote--root access that does NOT require human intervention or other app running.
2. Remote non-root access that does NOT require human intervention or other app running.
3. Local root access that does NOT require human intervention or other app running.
4. Local non-root access that does NOT require human intervention or other app running.
5. Remote root access that requires some human interaction or some combination of apps.
6. Remote non-root access that requires some human interaction or some combination of apps.
7. Local root access that requires some human interaction or some combination of apps.
8. Local non-root access that requires some human interaction or some combination of apps.
9. Remote OS crash.
10. Remote app crash.
11. Local OS crash.
12. Local app crash.
So, Microsoft's criteria would be equivalent to #1 here. And I agree that it is "critical". It is the WORST possible vulnerability. Which is why I listed it as #1.
But #2 is only slightly less devastating. And if you combine #2 with #3, you'll have the equivalent of #1.
Therefore, ANY remote attack that gives you ANY user level or above access should be "critical".
But who really cares what name you assign them? "Critical", "Red", "Emergency", "Category 1", whatever.
What matters is what avenue is open for attack and what the results of that attack will be.
1,000 level 12 vulnerabilities aren't anything compared to one single level 1 vulnerability.
Jack Thompson? Is that you, Jack?
____
~ |rip/\/\aster /\/\onkey
If it is intentional, I don't see how it possibly got past the Microsoft Security Engineers.
He who knows best knows how little he knows. - Thomas Jefferson
Google: A Patriot's Letter
Can't you have a WMF automatically load at startup if you have active desktop turned on? I think there are a fair number of windows machines where when you VERY FIRST turn the machine on, or on a fresh install of windows, it plays a WMF automatically. How's that for scary?
stuff |
I think one would only have to read between the lines with the alleged settlement for anti trust that MS got from the US court system to see that code shenanigans in the background might have been an important part. Remember, government wants access to your data, whenever they want, whomever you are, wherever you are. Just "because". They may or may not admit to it, even when caught, but let's just apply occam's razor to the issue. As the most common operating system world wide, it just makes spook sense to code in backdoors. And they PROMIS to never abuse it.
...could not result from a bug but was actually intelligently designed?
\u262D = \u5350
And I'm fucking sick of you after seeing just one of your posts, asshole. You should get a life instead of being an asshole loser who cries because someone else gets "modded up".
You fucking whiny jealous cry-baby. Go home to mommy.
One might argue that Windows is a big backdoor for viruses anyway. So it comes as no surprise.
they left the SetAbortProc functionality in there for debugging purposes, but disabled it for developers who don't know about the sneaky backdoor.
I have discovered a truly remarkable proof which this margin is too small to contain.
Steven Gibson is still just a wannabe.
> If this isn't a glaring example on why you should support open source, I don't know what is....
/. with the careful foresight and planning of the Matrix Architect please raise there hand...
As opposed to an open source zlib exploit sitting on the cookers for over 2 years and not being addressed? Where's the sidewalk poster fruitcakes chanting conspiracy theories there?
You make it seem like any source (closed or open) does *not* have [[un]inentional|accidental] backdoors. Now, whos the naive one here? How long have you been a developer again? Any developers here on
My question is this... If the guy is smart enough to know that windows has kicked off a thread and executed his code, and he's smart enough to experiment with buffer-overflow exploits, why hasn't he stepped through the WMF interpreter code? Could it be that he doesn't want to admit that he has for legal reasons? I know that if I had discovered this problem, that's just what I would do. Call DebugBreak() and you have a call stack. You'd think that the handler for this SetAbortProc function would be pretty identifiable. So... Who's got the balls (or the time, in my case) to do it? That's our answer. Chris.
Most backdoor hole problems can be patched with the application (of) Preperation H.
If that's the case, they chose a dumb place to put it, because the exploit doesn't even work on Windows 2000 and below without some program installed to handle WMF files. From Larry Seltzer's blog (linked from F-Secure):
http://blog.ziffdavis.com/seltzer/archive/2006/01/ 03/39684.aspx
That means that unless Microsoft used some OTHER backdoor to install a handler for it, this backdoor is useless. I suspect this is merely an oversight on their part, and that it just ends up looking bad when you view it from the outside. The only way to know is to see the source code and well, we know how likely that is.
A real backdoor would be something remotely exploitable via the network, as opposed to hiding inside a file or something like that.
"I want to get more into theory, because everything works in theory." -John Cash
Gibson is the king of hype. He jumps on whatever the current security "hot button" currently is, applies his own peculiar bit of spin, and then pats himself on the back for being so cleaver.
Remember, this is the guy who, dispite claiming to be a security expert, "invented" his own broken implementation of SYN Cookies (G.E.N.E.S.Y.S.) and then claimed he had no prior knowledge of the invention of SYN Cookies several years earlier by DJB et. al. See http://grc.com/r&d/nomoredos.htm
There was a time in the history of slashdot when this would have been dissected in terms of a technological perspective. Now we just have anyone who is offended with Gibson attacking him. I have to wonder how many script kiddies are the base of the anti-Gibson press, because regardless of his state of mind, he has contributed more to system security than anyone who is flaming him.
There is no evidence of Microsoft conspiring to create this backdoor. People are eager to hate Microsoft, so love the conspiracy theory of Microsoft as the evil-doer.
And these same people can discredit conspiracy theories, like the JFK assasination theories, just by calling them "conspiracy theories" (even though there is much more evidence for them than there is in this Microsoft case).
I still have two systems in my house that run Win98 -- because of the applications I need to use. They'll probably disappear in the next two years, but if you look at web logs on a public site, you'll probably see 10% of the browsers are still coming from Win98.
;)
It's not dead yet. You just wish it were.
If they wanted to really make a back door they could have used anything. Since we don't have the source we can't really tell, but I wouldn't be surprized if it's as simple as something checking the 1 as a "true".
Desktop fusion is back on the table
Did you pull those out of your ass?
Remote root, even if it requires user interaction, and especially if that user interaction seems perfectly innocent is worse than a local root exploit *by far*, since 999 times out of a thousand an attacker never gets local access.
Your list should be re-ordered as follows: 1, 2, 5, 6, 9, 10, 7, 8, 11, 12. I removed 3 and 4 from your list because there is no such thing.
For most boxes, local exploits are irrelevant.
This looks weird but it still needs more research, especially given Gibson's somewhat dodgy reputation.
1 as an input value is one of those classic boundary conditions that developers should always specifically test against (but sometimes don't...along with 0, negative numbers, MAX_whatever, etc)...so I'm not convinced that it was just a coding error. If the "magic key" length was something completely random like 6385492, then I would be more suspicious.
C'mon MS...let's see the code!
Code encounters escape character
exit standard processing
encounter SetAbortProc
open thread to communicate with windows print manager
thread attempts to read [length] bytes for sub value, encounters overrun
this is where I'm guessing the real horrendous problem lies. I'm guessing that the original code ignores exceptions while pulling in the sub value, so in this case where code hits an overrun, instead of that sub value getting a few bytes of data, it just graps until . In this case that sub value winds up being the payload.
So there you go, key and payload on an independent thread because of a bad exception handler in a 12 year old block of code.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
wow, post as plain text cuts out < and >. the sentence ending: "it just graps until ." shoulds have read: "it just graps until <EoF>."
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
You forgot Autosetup for the optical drive...
It's not just that it's the wrong input, it's that it's the one specific value of wrong input that triggers the behavior. That seems like design.
:-P
Oh, come now. Don't ascribe to Design what can be ascribed to complete, random Chance. Maybe the FSM is in control of Microsoft.
Germany, being told all these horror stories about how evil the Nazis actually were, and then coming upon a concentration camp and finding out that these stories were real after all.
The stories Allied soldiers were told about the nazis paled in comparison to what they saw in the camps. Allied propagandists didn't have the imagination to come up with anything like the holocaust.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
No joke: If someone seriously wanted to break into a Windows box, aren't there enough security holes, both publicized and undiscovered/unpublicized, to get you in?
You can mod this up for funny, which I guess it is, but it's also true.
posting a URL on /. causes the server to crash?
However, there are a few very specific ways in which you would write code to deliberately look for that specific value in a specific portion of an operation. These ways can be checked by inspecting a disassembled version of the code. (But do this outside of the US, or the DMCA droids will Use The Force.)
Since WINE shows the same hole and the coders are not the same, it would be my guess that the problem is specifically in a DLL that is used/usable by both. It should also be possible to massage WINE to fire up a disassembler with the correct entry point into the DLL that has the hole, when passing the exploit payload. It might take a while (I suggest getting a few month's supplies in advance), but it should be possible to determine exactly where the exploit is, whether it looks "natural" or not*, and whether that specific section of code is likely called by other graphics routines.
*A "natural" bug could include a series of conditionals and jumps, where the 1 is simply the untested case that falls into random code. An "unnatural" case would be to test specifically for 1 and to jump in a different way than for other cases. (eg: If other cases jump to subroutine, and 1 does a one-way jump OR on return is the sole case that jumps over all error conditions.) If that one case has an abnormal test and an abnormal jump, it would be next to impossible for it to be accidental.
Actually, it might be useful against Microsoft in their appeal over the EU ruling. The EU ruling demands greater transparency of protocols and code, and demands code be uninstallable by someone. The politicians might not care much about the exploit, even if it were deliberate, but I'd be willing to bet the EU's lawyers would. Even if Microsoft as a corporation were innocent (yeah, right), it demonstrates a valid legal concern that cannot be resolved using totally closed, airtight methods.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I can't believe even on Slashdot that drivel like this was moderated +5 insightfull. That you even consider a software exploit even remotely close to Nazi concentration camps shows us that you have a very poor understanding of the scale of tragedy. You should be ashamed of yourself.
oh stfu already, I'm tired of seeing your name in every thread, time to unleash a mod bomb
I't a lot like the Allied soldiers who were fighting in Germany, being told all these horror stories about how evil the Nazis actually were, and then coming upon a concentration camp and finding out that these stories were real after all.
It won't be the same until the leader of Iran states that the backdoor never happened.
No, wait; not even then.
The 98 series and NT4 are still in widespread (millions and millions) use. This is called a "problem" then. The auto industry in the US tried to pull this stunt of obsoleting and stopping support for their products in short time frames (sometimes within the SAME model year!) and got legally smacked down for it. Now they are required to provide replacement parts for ten years. Just because normal business productlaws and warranties aren't applied to software-yet, and they certainly should be-doesn't mean it wouldn't be a good idea. Planned obsolesence and forced upgrades might be a spiffy way for some corps to extract a lot more dineros from your wallet, but it doesn't mean it's a good idea for you the consumer/end user...unless you are a pure "caveat emptor" anything-goes styled capitalist. Thankfully, most people see the illogic in that sort of system and that is why we have evolved some consumer protection laws. It is not a perfect solution, but it is light years ahead of legalised snakeoil like it was before. Eventually these sorts of laws will be applied to software,because even the dullest clicker is starting to bingo to the fact that most of this forced upgrade stuff is a cash cow dodge.
There is no way to prove that it was intentional without seeing the source, so it makes more sense for Microsoft to just patch it and make no comment concerning its origins.
;-]
True. And it makes even more sense for the patch to block the current doorway by simply moving it. Then everyone with current knowledge of the exploit will be locked out, but certain select associates can be quietly notified of an "upgrade".
With proprietary, closed source, you and I have no defense against this.
There are many good business reasons for expecting this, not the least of which is a desire to remain immune from further antitrust prosecution.
This is why security experts have long been saying that, if you're seriously interested in security, your first rule is that you don't permit running any software unless you have all the source code and you've compiled it yourself. (And then they go into the long explanations of the ways you can be tricked even then.)
[What, me paranoid?
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
This guy is a freak. The flaw looks like a coding bug. As a coder it is usual for you to forget to check or validate some stuff sometimes. Sometimes you even forget some debug code on your apps. Now saying that this was really intentional is like saying NASA didn't land on the moon. That's because the only use for an intentional flaw like this are Microsoft plans for World Domination by means of takeover of every personal computer on this planet(...)
I agree with Ivan, I would rearrange that list a bit, but overall the concept of M$ itself being 1 on the list, rearranged or not, is pretty insulting to our collective intelligence.
"What happend to just paying for a product without being constantly nibbled to death by Credit Card Ducks?"
Seems to have been flying under the radar for so long that people have forgotten his status as a talented crank.
All you do is make the WMF with a .JPG extension, and GDI handles the rest. That's the scary part.
Cool! Amazing Toys.
Uhh. There's an option to auto-mod people. Use it, and you'll never have to see him modded up again.
Since there is no way to prove you wrong, whether you are or not, why didn't you bet more?
Get a clue, troll- if you have a blank admin password, XP prevents ANY remote network access using that account. You are actually more secure with a blank password.
I read TFA, and I've read a lot of comments here that say "Hey! Look! They're checking for a specific key (length == 1), and executing the next byte, it's all so neat and clean it must be intentional!" Honestly, if I was Microsoft, with full access to the Windows source code, and the ability to scan it for buffer overruns, I wouldn't need to introduce a vulnerability that looks like a vulnerability. I'd just keep a list of as-of-yet-unpatched buffer overruns. Any time I wanted a "backdoor" to your PC, I'd pull one off the list, craft up an exploit (pretty simple when you not only have the source code to the OS, but the source for and access to the authors of the compiler, too), and voila! Every time one gets discovered, scratch it off the list and introduce two more in the next "Windows Update." Why make a backdoor that would raise anyone's suspicions? After all, who's going to suspect buffer overruns? Everyone knows they're just bugs! Now THAT'S plausible deniability.
We apologize for the preceding message. All those responsible have been sacked.
oh don't worry, the GNAA have him in sights, gawd, I can't even stand his faggot signature
It's worse, actually. He's comparing security holes to concentration camps.
Which have been shown to not he as horrific as previously stated.
In fact, didn't the museum director of the auchawitz (not spelled correctly) admit that whiel gassings did occur, the actuall display in the museum was not real.
While I agree with your comments, it still doesn't change the fact the Trip Master Monkey is a fucking dumb shit. At least I take pleasure in knowing he pays for sex.
lmao. Who's the mod who blew their points and bit on that other AC's bullshit? His friend, at best, is some janitor rummaging through office trash bins for his 'insight'...
Just about rule number one while working at any government agency: You work for the government.
If you don't understand the repercussions of conflict or interest or impropriety and the subtle responsibilities associated with that, then you've never held a Top Secret security clearance like I have. I hope the mod who blew their collective wad on that other AC likes the taste of egg on their face...
That we know of that is. This has been lurking about in every version of windows since 95, right? And it's taken until now to be brought to light. How many other similar seemingly innocent bits of code in those millions of lines of legacy windows code do similar things? The question is not what can this exploit do on its own, but what can it do in concert with others that may exist? OK, so maybe I'm giving MS or the rogue programmer, or whoever did this (length==1 check and seperate thread would imply it's not a mistake) too much credit, but if whoever did this was very clever they might have implemented a waterfall backdoor of sorts. In other words there's two or three exploits that when used in concert spell pwnage for almost any windows box. I'm willing to bet there's more here that hasn't been found yet. I'm also betting, along with others, that MS will not accpet responsiblity, nor even point the finger at a programmer or contractor/company to take the fall because that would also make them look completely unsecure. How many programmers have contributed to windows code over the years? And MS would be admitting they don't have knowledge of any backdoors those programmers may have introduced? No, more likely as Benanov (583592) suggested, MS will simply try to smear Gibson as someone with a vendetta and/or crackpot/idiot and try to downplay the whole thing as it has been.
This is exactly why closed source is dangerous. Even security through obscurity is useless when the code holders don't know what's in their code. Open source may have similar problems, but at least there's plenty of people looking, and plenty who will be motivated to correct an issue when it's found instead of trying to pretend like it never happened. Which includes the issue of whodunnit and how to stop that from happening again.
-- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
-Eric
SJW: Someone who has run out of real oppression, and has to fake it.
But as the parent stated, there are exploits that get you non-root access to a box, which can then be used to launch a Local root exploit. Case in point are all the PHP apps that get hacked. Generally they allow executing code as the webserver user (usually writing files to /tmp and then executing them), which is easily used to launch a call-back shell or IRC bot. The scr1pt k1dd13 can then launch a root kit exploit using that shell/bot to run commands locally on the box.
I agree with the parent, ANY access that can be gained remotely without user interaction is much worse than access gained because a user did something. Yes, they are both BAD, but an exploit that allows a machine sitting around idle to be broken into is worse than one that has to be in active use. Once that access is gained, whoever gained it can act as a user and do the interaction themselves to launch the other exploits.
Tm
Yeah, right... trust the Chinese government to uphold our privacy rights. Anyone who runs Red Flag Linux voluntarily should have their head examined. I think Gentoo might be a safe bet...
"I like systems, their application excepted", George Sand (French)
...a fluffy woolen cardigan in there?
I wonder if the windows 2000 and NT4 source code which was leaked some time ago has the code for handling wmf files... Maybe someone can check it out :)
The AACS key is NOT 0xF606EEFD628B1CA427BEA93A9CA9773F
what?
In theory there is no difference between theory and practice. In practice there is. - Yogi Berra
To quote Jon Stewart on the subject of Hitler/Nazi comparisons from memory: "You know who was like Hitler? Hitler!"
I just invaded Grammar Czechoslovakia and duped Grammar Neville Chamberlain; now it's on to Grammar Poland.
They're going to HACK the GIBSON!
"Never attribute to malice that which can be sufficiently explained by stupidity."
Lest we forget that Wine also proved vulnerable, and it was a clean-reimplementation of the specs!
This is a pretty good point. If executing the code requires a specially crafted file with the length set to one, how on earth could WIne have the same flaw? It's still possible the behavior was inserted as a back door, but unlikely it works the way TFA claims.
I, for one, am going to be following this story avidly. Any bets on when M$ issues a statement that a 'rogue programmer' put this code in, and disaavow any knowledge or responsibility?
A much as I'd like to believe Microsfot is really, truely evil (in this specific instance), I'm much more ready to beleive this was the intentional work of one of their programmers. It does make me wonder though, given how viruses, worms, and spyware that prey on OS vulnerabilities can and are being used for illict financial gain, how plausible is it that a MS programmer could be bribed into inserting a backdoor into his code? If you could afford the inital cash outlay to pay off a programmer, you'd have yourself a larger window of oppurtunity to exploit it before everyone else caught on. Plus, you wouldn't have to spend time going aroung digging for exploits.
Shameless plug for my photos on Flickr
I'm surprised nobody's trotted out Reflections on Trusting Trust, by Ken Thompson. Not only does this discuss a backdoor, but also a backdoor that can't be found by examining the source code.
Program Intellivision!
I stopped reading at "Steve Gibson"
Considering that WMF was originally a response to PS, perhaps GRC's on crack and the functionality makes sense in a context where the specification was that you just dump raw WMF to a printer that itself has a WMF engine. In this case the "go to next instruction on abort" makes perfect sense as it's processing the content coming down the wire.
speaking totally out of my ass, of course...
the subject says it all.
Please help! I'm stuck inside my virtual reality headset!
I found was that, when I deliberately lied about the size of this record and set the size to one and no other value, and I gave this particular byte sequence that makes no sense for a metafile, then Windows created a thread and jumped into my code, began executing my code.
So, it accidently created a new thread, and directed the new thread to start executing code at the specific position? That's a whole different level of accident.
Oh, and Shimmer, I'll take that 5$.
There is nothing so silly as other peoples traditions, and nothing so sacred as our own.
"Windows 95 is 11 years old. Windows 98 is 8 years old. Windows ME is 6 years old. And Windows NT4 is 9 years old. How many other operating systems offer patches and support product versions for software that is that old?"
I know of at least two. Both Sun and HP still provide support or patches for versions of UNIX System V that are older than Windows 98.
Couldn't somebody pull out the leaked Win2K code and take a look? If the relevant bits are in that collection it would be clear enough what's going on.
(I don't do security-related coding and don't have the code anyway. Don't sue me.)
Well, you can have local root access without human (legitimate user) intervention by sticking in a live CD. You get root access to the hard drive with no apps running (the installed OS is off) and no legitimate user interaction (because they are not there.)
But yes, I would agree with you that the security landscape changes a lot when the exploits are local-only and almost remote exploits that give the attacker any control on the system are worse than almost any local vulnerability. It becomes an inside job and is *much* easier to catch the perpetrator than if it's somebody sitting in an apartment in Hong Kong on a stolen Net connection cracking your computer.
Just "gittin-r-done," day after day.
Sorry, "begging the question" means "raising the question" in modern standard English. It never means "avoiding the question".
It used to mean the logical fallacy of circular reasoning, where the conclusion being argued is directly or indirectly assumed as one of the premises of the argument. A good example: Use of banned substances is prohibited by law. Breaking the law is immoral; Therefore those who use the banned substances are committing immoral acts. This clearly shows that we are correct in legally prohibiting the immoral use of these substances.
This is also known as "Petitio Principii". It's practically impossible to confuse the two meanings, and only a tiresome pedant would insist that "Petitio Principii" was the only correct meaning of "begging the question". I've seen the phrase used only once or twice to mean circular reasoning, yet I encounter the newer meaning of "raising the question" on a regular basis. It is quite obvious which use is dominant, and in English the dominant use is by definition the correct one.
Some authorities recommend that "begging the question" be avoided entirely because of this confusion and disagreement over the meaning of the phrase. I don't use the phrase frequently myself, but if I want to refer to the logical fallacy, I will use "Petitio Principii" or "circular reasoning" for clarity's sake.
So sad for you that you turned out to be a tiresome pedant that got it wrong.
Leo: The point these guys are trying to make is that the hacking profession is an old and honorable one, and the Internet wouldn't exist without hackers, UNIX wouldn't exist without hackers, GNU - I mean, hacking is not, in and of itself, bad. And so when we talk about bad guys as "hackers," they feel like we're besmirching the hacking community.
I think the hacking community (the good kind) should constantly refer to these "reporters" under their new name "a**holes". And so when we talk about reporters as "a**holes," they will feel like we are enhancing the a**hole community.
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
I've never heard of Windows having any security issues before. Surely this must be a mistake.
I would be willing to bet it was somebody who was disgruntled over somebody who was paid to do so. And I would also think it more likely for somebody to do this on their own accord that if they were paid to. I say this because first, the coder is much more likely to get caught if there are multiple parties involved AND he would probably get a big reward from MSFT for turning the briber into the authorities. Also, there is a "kill switch" to the plans for the backdoor if only the coder knows. He can easily back out by just doing nothing, unless the backdoor happens to get discovered. And if it does, the odds he is linked to it are small and even then, he can deny everything as an error because there are no witnesses to say otherwise.
Just "gittin-r-done," day after day.
Having read the whole thing, I do think that Steve may be jumping to conclusions a bit too quickly.
I think that we ARE talking about the SETABORTPROC vuln that everyone has been talking about; Steve just finds that the vuln doesn't work quite the same way that he was expecting. It seems that Steve is basing his accusation on the fact that he had to set the length field of the code containing WMF record to 1 (an illegal value) in order to get his code to execute. While this seems odd (and sounds like a "magic value"), there is likely a better explanation. Here's one possibility... The advisory from Secunia at http://secunia.com/advisories/18255/ says that the embedded code executes when any error is detected in parsing the WMF file (not only [or ever?] when canceling printing). Maybe the SETABORTPROC function was originally intended for printing but was overloaded to handle parse error callbacks? Depending on how the parsing code was written, it may treat the invalid length value as such a parsing error, but may have already indexed the the beginning of the code block (since it knows the length of the record header) - it just doesn't know when the code block ends. It can then start executing the code block, even though it is an error in the code block's record that caused the error. I wonder if the code block would execute if the correct length was specified but the NEXT record in the WMF contained a similar error (like an invalid length field).
He may very well be correct that someone has intentionally included this mechanism as a backdoor, but he is being premature in making such claims without first consulting the people who have a lot more experience with this vuln than he does. By the way, MS gives access to their source code to a LOT of outside parties - I'm sure that Steve could have found someone to take a look for him.
I don't mean to make an ad hominem attack (this podcast is actually fairly accurate - just jumps to conclusions), but Steve isn't exactly known for being a respected researcher in the security industry - he's a bit of a poser and sensationalist/alarmist. My gut feel is that Steve is continuing on his sensationalist streak, jumping to conclusions and trying to drum up more excitement. He frequently hypes issues to crazy levels and tries to make himself look like a hero/expert. In fact, he usually offers little insight and often tries to pass off regurgitation (often inaccurate) as original research. Just listen to him in this recording talking about "rolling up his sleeves" and "wrote all my own code", etc. Look up his stuff on nano-probes (http://grc.com/np/np.htm) for some funny stuff. I am a security professional and can tell you that much of his writing is BS and/or hyped/obfuscated wording for technologies and techniques that have been in common usage for years and years before he writes about them. I just can't help but take Steve's claims with a grain of salt.
I've read in a few places that the Windows source code has leaked to the Internet, and its also be licensed to a few countries at this point. is this true? if true, it seems like someone would be able to -- in theory, mind you -- confirm that there are 5 lines of code in a certain file that implement this behavior, or call some suspicious block of weird binary with a warning saying "don't touch this mysterious block of code", etc.
of course, maybe the code is no where in WINDOWS and it's in the compiler like that classic old C thing where someone (was it Knuth?) slipped in a recursive hack that made sure it propagated itself in new versions of the C compiler.
> but what possible code could be "fallen through" into
7 05-speedscript.html or http://www.atariarchives.org/speedscript/ch3.php ).
> that would set CPU execution *inside* the metafile
Actually, I think it was done for performance releases (remember, existed back in the Win 3.0 days).
Back in ye olden days, there was a common software practise called self modifying code. It was used in some implementations of FORTH, but it was far more popular on systems that had few registers like C64. It was generally used as a way to dramatically speed up code on those slow processors.
Have a look at the popular C64/Atari program SpeedScript (see http://www.atarimagazines.com/compute/gazette/198
The source code it gives an example:
"This module is chiefly concerned with the word processor editing functions.It contains many common subroutines, such as TOPCLR and PRMSG to clear the command line and print messages. It contains the initialization routines and takes care of memory moves (inserts and deletes). A second module, SPEED.2, is responsible for most input/output, including the printer routines. SPEED.1 is the largest file in the linked chain. UMOVE is a high-speed memory move routine. It gets its speed from self-modifying code (the $FFFFs at MOVLOOP are replaced by actual addresses when UMOVE is called). UMOVE is used to move an overlapping range of memory upward (toward location 0), so it is used to delete. Set FROML/FROMH to point to the source area of memory, DESTL/DESTH to point to the destination, and LLEN/HLEN to hold the length of the area being moved."
The "length=1" could've been a debugging hook that a dev neglected to remove.
-- "I never gave these stories much credence." - HAL 9000
My bad... My comment should have said "Remote exploits", not "remote root".
The point was that anything with "Remote" at the beginning should have been higher up on the list than anything with "Local" at the beginning.
Just as a guess, from Gibsons explanation, the bug is the following sequence:
1 - The SetAbortProc is entered in the metafile. It is interpreted, but (and I have never seen the metafile code) instead of having arguments interpreted, *just* the operational code is.
2 - The metafile interpreter dispatches to the abort proc handler, which initializes the existence of the abort proc. It then attempts to scan the argument.
3 - Most likely, the argument scan routine picks up on the fact that the length is wrong, and no such argument exists. Note that the developer probably thought "Gee, this handler only takes a single arg, and the arg retriever checks it, so don't worry".
4 - The argument retriever indeed picks up on the fact that the argument is wrong, and THIS is sufficient to "abort" the metafile. Of course the existence of a handler has already been registered...
5 - What is the default address for the handler? That is probably set as file relative 0 (probably for other reasons).
Leading to the situation. No malice needed.
Ratboy.
Just another "Cubible(sic) Joe" 2 17 3061
I think this is just over-the-top conspiracy theorising in order to drum up publicity for Mr Gibson's podcast.. strange that none of the other hackers that have worked with this (e.g. Ilfak) have set off alarm bells about it. But perhaps they are not blessed with Mr Gibson's insight.
You're an immobile computer, remember?
Yeah right. Like he's not there already.
I used to joke, when Outlook was constantly being patched for VB script expoits, that I was just waiting for the day when M$ would find it a good idea to script-enable GIF images. Not so funny now that it is the case.
They are careful in the broadcast not say it is NOT a Trojan.
From www.webster.comWhat percent of machine's that someone would want to get into are running office?
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
I think it may be a warning that I should get myself checked out for dyslexia. That should be "grabs"
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
The two byte function code in the file is used to index of a table of function pointers to GDI functions. However, the error in SETABORTPROC was that the indexing of functions was done not from the table, but rather jumped to an index off the file position pointer. In assembler, imagine:-
jmp 1($1) (Jump 1 off register 1 - which holds table of locations)
jmp 2($2) (Jump 1 off register 2 - which might hold the file position pointer).
Noone ever used the function, so it was never tested.
Why aren't we reporting on REAL bugs like the 4 security vulnerabilities found in iTunes this week
You don't consider the WMF exploit a real bug? A user simply had to display an image in a browser or email client to get infected. There were exploits running all over the place. And you don't consider it a real bug? You think some music player takes priority over the operating system's image display?
I'd like to see some analysis of the interpreter, too. Any Windows geeks want to make a name for themselves?
You're an immobile computer, remember?
Holy shit (if this is true).
AccountKiller
This is just stupid. Of course its not an intentional 'back door'. Having written WMF parsers, generators, and converters, I'm pretty familier with what the code looks like to utilize a WMF.
This guy ought to explain why, if its some secret back-door and not a design flaw, that WINE has implemented it as well while creating their code entirely from scratch?
This is nothing special, nothing beyond an insecure design. People that work with WMF code have known for a long time that this sort of flaw existed. No one has been worried becuase it's a frickin WMF file! Do you really think microsoft is going to send out a huge pile of WMF files that people will inadvertently view, so they can attack your system? This microsoft paranoia is just getting dumb as shit.
Big ones, small ones, some as big as yer 'ead!
Give 'em a twist, a flick o' the wrist...
The few people here who are not up MS ass or think that being paranoid is uncool seem to still discount the possibility that this is a real backdoor on the grounds that it does not allow you to target a machine directly. The only way to trigger the exploit is to visit a site with a "corrupt" wmf file.
If you believe the above to be true you are either not a very good reader or mentally handicapped.
Why do you need to visit a site? A wmf file read from a floppy wouldn't isn't susceptible to the exploit? No this isn't being pendantic. The WMF exploit happens ANYTIME the WMF code is triggered. It could come from anywhere. The image displayed when you install a piece of software could be a wmf.
This still doesn't change the fact that you need to somehow get the user to read your WMF file. Yes absolutly BUT realising it doesn't have to come from a website visited by the user means we are truly thinking about how a backdoor could be used not just copying what has already been said.
So lets made a wild speculation that this is a deliberate backdoor designed not just for testing something (like the quake backdoor) but to take control of customers PC in the wild.
How could you then force a computer user to load a corrupted WMF? You can't surely so this can't be a backdoor.
Here the logic becomes very very complex. Windows users you might want to get help with this one.
What if this is just one(1) part of a backdoor?
Who said that this is the complete backdoor? What if there is a worm backdoor as well that is far simpler and causes the PC to do nothing else then visit a website. A two-stage attack. Most current exploits in fact work this way. The initial exploit causes a very simple trojan to get the more complex payload to be retrieved.
In fact such code would not even have to exist in windows. All you need is the capability to somehow redirect a PC's internet requests to a page of your choosing.
Is it possible to re-route any http request to a url of my choosing and forcing you to load my WMF exploit instead of the page you requested? Well isn't it awfully convenient that the WMF exploit can be hidden in a jpg?
All a US goverment agency, or for that matter any goverment agency would need is for a way to force your isp to be able to redirect your traffic. Exactly the same way they can "phonetap" your ISP connection.
In short, only criminals need to trick you into visiting their site. Goverment agencies can just force your ISP to redirect you. If it is done smartly it could even be done without your noticing.
There is ofcourse also a nice explenation for it. What if there was a security problem in windows so big that it would bring the internet crashing down so hard that even visiting microsoft.com becomes impossible?
How would you patch the millions of machine and get the internet users back online? Simple, every ISP would be sent the patch and they would simply redirect all their users traffic to their own site with the WMF file and force you to patch your windows.
People who discount this as a backdoor because it is not a worm just don't have enough imagination.
None of what I claim above means that this is a backdoor, just that it is not impossible either.
The truth? We either have to assume MS has written some truly amazingly bad code OR that MS has put in a backdoor for either forced patching or for intelligence purposes (either its own or a 3rd party). Since MS is involved the idea that this is just a giant idiotic stupid bug seems all to likely. In fact so likely it would make the perfect cover.
Agent A: "But Sir if we force MS to introduce this backdoor and it is found out we will have a riot."
Agent B: "No we will just claim it is bug."
Agent A: "Will people buy that?"
Agent B: [Turns his PC monitor so Agent A can see the blue screen] "Yes I think so."
Remember, it ain't paranoia if they are really out to get you. I wonder if the jews who stayed in germany called those who emigrated to america paranoid Ah, good old godwins law.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Local non-root is no vulnerability at all - a local user by definition already has non-root access. Also, crashes often become exploits - I'd put #9 above #7 as the potential risk is higher.
I am trolling
Pratically speaking: /* BEGIN BACKDOOR CODE */ .. too many eyes on the code. You'd bury backdoors in a series of smaller innocuous subsytems.
If building a backdoor into an operating system, especially one as complex as windows - you wouldn't comment your code with
Specifically - you would place a series of exploitable "steps" you needed to execute in order to fully and REMOTELY compromise a system. Ideally those steps could be used interchangibly -
some steps to remotely get a payload onto the computer and others to remotely execute the payload (or put the payload in a place where it would be executed)
You mean like, if the total amount of death camp victims was revealed to be, say, five million instead of six million, you would say "See, it wasn't so bad"?
I'm not really fond at all of the way the state of Israel handles things nowadays (IMHO it, ironically, looks like they borrowed a thing or two from the Reich, which is sad, really), BUT a tragedy such as the holocaust is not to be belittled. It is something that can't be allowed to happen again. What I'm trying to say is, no reasonable people I know have had a reason to question the story behind the death camps. In fact, the only folks who I've heard to play it down (or even claim it never happended at all) have been the kind of persons I would classify as crackpot nazis... By the way, your spelling errors won't really increase the credibility of your claims.
Anyway, comparing security holes of computers to concentration camps is WAY out of line.
Look for WMF files that are taking advantage of this flaw (have header length set to "1") and trace back the owners for ones that have been around for a while.
If this was an intentional hole then there should be examples of some earlier exploits floating around somewhere...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
... I just like the fact that the parent was posted at 13:13 on Friday the 13th.
Just junk food for thought...
They got them too!?
Oh ok when your expert starts talking like:
"So it makes no sense to set an abort proc in a metafile. But even so, there would presumably be no reason for not allowing an abort proc to be set"
doesn't it remind you of the washing machine repair guy who knows "better" and found some parts of your washing machine are just unnecessary?
My point: don't assume conspiracy where you just "don't understand" stuff.
Why is it that everyone assumes that it isn't a backdoor because there are many other, presumably better, ways that Microsoft could access someone's computer (IE and Windows Update come to mind...)?
It seems to me that this vulnerability has been around since at least Windows 95, if not earlier, and back in the day the Internet was not yet the powerhouse attack vector it is today. Most viruses traveled by floppy MBR, even. It's not hard to imagine someone sending a floppy disk full of compromised WMF files labeled "Hot chicks" to someone else, with the intention that they can later sit down at that computer and gain access since the backdoor was opened by viewing the files. Granted, this is pre-internet thinking, but so is the vulnerability.
What's the possibility that someone at Microsoft created this backdoor, and then the intentions were subsequently lost amid the bureaucracy and it remained as an originally intentional, but now obsolete, backdoor? Is a backdoor just a bug if no one remembers creating it with the intention of using it as a backdoor?
For security, the MD5 hash of this message and sig is 09f911029d74e35bd84156c5635688c0.
That said, wouldn't an organized FUD campaign (orchestrated by, say, Microsoft or the NSA) look more or less exactly like what is being seen here?
The GRC website has been up for a long time. While it's true I've seen some pretty foolish pronouncements come from that website (the funniest one I can recall was Mr. Gibson's assertion that Windows doesn't need a full TCP/IP stack and that inclusion of the full stack in W2K would lead to a drastic increase in Wincracks), in this instance his reasoning and conclusions are fairly compelling. Not necessarily true or correct, but I see no reason to discard them out of hand.
Sort of like the old saying, "A rose can grow in the mud" (or the FUD?).
A black van pulls up to your ISP, several men in black suits emerge and enter the office.
Agent A: We would like to access your network routers.
ISP clerk: Why? Who are you, can I see some papers?
Agent B: [Pulls out a black gun] You don't need to see our papers geek boy.
Agent A: Mr. Smith please, not yet. Our papers are in the mail, do you want to wait for them to arrive? Mr. Smith here hates waiting but if you want to force him to wait I am sure that is fine.
ISP clerk: [looks at Agent B playing with a blackened knife] In the mail you say? Oh that is fine, absolutly let me buzz you in.
Agent A: Thank you for your cooperation citizen. I will just be a minute, Mr Smith here will keep your company so you won't get lonely and feel the need to call anyone. [enters the machine room while Agent B plays with his knife]
Agent A: [returns after a few minutes] We will be leaving now. The goverment thanks you for your cooperation, please refrain from speaking with this about anyone.
The two agents leave and the ISP clerk decides that he needs another job.
Question: How to force a people to retrieve an infect WMF file? Answer: Control the network.
Any computer connected to the network does so because an ISP somewhere routes the calls to the proper adress. Rerouting it is trivial for the right people.
This could be done by the goverment in exactly the same way they redirect phone calls (You never seen a movie where people call phone X only to find themselves talking to phone Y without their knowledge?) OR another reason?
This "bug" is claimed to be new to windows 2000. Roughly the time of all those worms when it became impossible to patch a new windows online BEFORE it was infected. Now imagine the solution if this had gotten really out of control were a worm so nasty was out that EVERY windows machine connected to the net would instantly be infected. How would you patch all those machines? Especially considering how impossible it is to get users to actually PATCH their bloody machines? You could make the argument that what would be needed is somekind of solution were every windows machine connecting to the net would immidiatly be patched.
Cue every ISP being told to redirect their users to a WMF file (every isp is capable of this) and voila, instant enforced patching no matter how much you disabled MS update.
The only problem with exploiting this is for complete outsiders. The goverment has absolutly no problem exploiting this exploit to root your machine.
Is this the explenation? I don't know. I am just guessing and not accepting the easy answer.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Can I have my money back (or part) - the system is not as sold and they aren't fixing it.
Alternatively, release the code if they aren't going to support it and let me.
"But I don't think it's reasonable to expect a vendor to provide patches for operating systems that are well over 5 years old. Looking at Apple, Red Hat, Sun, etc. I don't see this happening either."
Sun routinely supports their OS software for over five years, Sun currently supports a version of Solaris that is over 8 years old. Sun enterprise servers typically never have their OS upgraded; they are just patched, even though later versions of Solaris can supposedly be easily upgraded. Sun enterprise servers (with their orginal OS) are normally retired when they are no longer required or when the hardware is no longer supported. The reason for this is that nobody want to break an enterprise server that is working fine.
Is it not possible to check for the source code behind this procedure in what was leaked of the Windows 2000 source? (Or are we not supposed to discuss that?)
So yes, it's a feature, but it isn't a good feature. It would be a misfeature, but I suggest that good and bad aren't sufficient to fully describe this. You need good, bad, and evil. Thus I suggest a new term for evil features like this: malfeature.
And that one can have "mismalfeatures", though I'd rather make that into "dismalfeatures".
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
I thought the NSA provided some "assistance" to DES encryption when it was being developed and actually rigged it such that it was compromisable by them.
I read this in the somewhat dated but still fascinating "Puzzle Palace" about the NSA.
People still listen to this guy?
I thought Steve Gibson had been thoroughly discredited, especially after his fiasco with Raw Sockets. HOLY CRAP, Windows is going to start giving you raw socket access, WE'RE all F'ING DOOMED. Old Register article comments. Even back then, I had a hard time listening to Gibson who seemed like too much of a self-promoter and snake-oil salesman.
I've never trusted that guy, and I'd like to see this independantly confirmed by, say, eEye or Counterpan, or someone with some honesty and conviction.
I like music
"It's nothing like that actually, you are comparing apples to supernovas."
Looks more like a horse's head to me.
>the concept of M$ itself being 1 on the list
>>>So, Microsoft's criteria would be equivalent to #1 here
i believe the OP means to say - that which Microsoft describe as 'critical' vuln.s == #1 on this list
my password really is 'stinkypants'
I wonder if the code Windows XP for AMD64, first turns the page where the WMF is sitting on, "executable" before starting the thread to run at that location. I have been led to believe by M$ that in the AMD64 version of the OS they are using the executable bit to protect from attempting to execute in non-executable, ie, data memory section.
If it does then it would be obviously intentional.
"Just remember, it takes a village idiot." -- The Motley Fool.
There are lots of those floating around in the Windows code. Places where something was put there so that future ideas for functionality can be built on top of it. The "deskbar options" tab,d =2&articleid=10542&subsectionid=718&subsubsectioni d=566
http://www.maxpc.co.uk/tips/default.asp?pagetypei
is another instance of this.
It should be noted that although Wine does suffer from a WMF vulnerability as well, the behaviour is not the same one as described here. There is no special case for length==1 in Wine, and no way to have your exploit code right after the length field in the WMF. Wine simply implements the same abort routine that MS's API specifies (and can be argued to be a bad idea in itself, but that is MS's fault not Wine's). The way it can be exploited is completely different, and does not resemble a backdoor in any way.
In fact, the differences between the behaviour of Wine and Windows implies that there is indeed something very unusual about the way Windows handles this special case. Whether it is an intentional problem or just horribly bad coding, that is harder to say.
What if you were trying to target people who looked at secret documents, or maybe kiddy porn?
Think about it. An enemy spy buys your fake missile plans, or a pervert logs into a honeypot, and goes off to a place of safety to view them. Image viewers from Windows 95, like ACDSee for example, have WMF handlers, right? And the files don't have to be named
It looks conceivable. Likely? That's another thing entirely.
Start by looking for a .wmf file with that magic cookie length = 1 value. If we find one anywhere on MS's web site, particularly on the very popular areas like Windows Update, OR especially in the release version of wIND2K/xp,and that metafile contains code that does "interesting things" I for one would remove my tinfoil hat and bow in Mr Gibson's direction. I would also propose a whistle-blower's award for the following items.
1. A wmf scanner that detects this value in these files. For extra credit, make it an IE or Mozilla plugin. We don't need to work very hard to find a problem like this if we can find a trigger lying around somewhere.
2. Word from someone who KNOWS why it is in there (this is unlikely IMHO but you never know)
3. One, and that's all we need in this case, wmf file with the suspicious value in it and some code that will be executed when the proc is called. Extra credit for figuring out what it does. And a gold star if we can prove that the code phones home to someplace interesting.
> by examining the source code.
That's where your mistake is. They're finding this out via disassembly and testing--by examining machine code, not source code. The problem would appear in debugger output, unless of course, they've found a way to FNORD.
Windows update? If MS wants a peek inside your box they don't need to do it using one byte metafile exploits.
OTOH, this does give them (or anyone else) the perfect excuse to scan every folder on your computer while looking for malformed wmf files. Of course, anyone using anti-virus software already has installed such a "rootkit" anyway - and who would use windows these days without one?
What? It was not. The Microsft's fix was out way before the WINE one. And I'm pretty sure the WINE guys didn't have to test one hundredth of the scenarios Microsoft tested.
Microsoft is the king of bullsh!t backdoored software... why? Look at who they sell their main products to: Clueless general populous. It will always have backdoors so msft programs can feel special in their not so special programming skillz.
||| I still can't believe Parkay's not butter.
I.e. "luser" -> "mail".
I think this is a VERY important point. Though my hunch is that the source code to this backdoor is kept VERY tightly sealed.
Your CPU is not doing anything else, at least do something.
wouldn't they do the same with any major OS, such as OS X? and, if so, wouldn't it likely be a similar exploit? and, if so, shouldn't someone have likely found it?
go get it
I work at Microsoft, and know for a fact the exploit was put in for the purpose of determining who looks at illegal pr0n on Usenet. Ever wonder why the government dropped all the lawsuits against us? This kind of behind-the-scenes cooperation with the federal government is why.
MS has a 32 bit extension to metafiles they call Enhanced Meta Files (EMF)
Has anyone checked to see if an EMF file can execute code similar to how a WMF can?
-- 3 events that reshaped the world in the 20th century: WW1, WW2, and WWW
So are the "Boycott Sony" advocates going to stick to their guns and boycott Microsoft too?
Of course anyone who still buys from Microsoft either doesn't know enough about them or is hopelessly locked in by 3rd party apps.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
Mod this comment up to a +8!
[ ]Clever sig [X]Lame sig
These are scattershot methods, though -- good for placing spyware or zombies on large numbers of random machines, but not terribly good for getting your code to run on a specific computer, which is what a law enforcement or intelligence agency would really want.
.htaccess that will redirect visitors coming from a specific domain (*.boeing.com) and have them pull an alternate graphic from the docroot that contains the trojaned wmf file. Now Boeing is sure to have Chinese ex-pat engineers working in the US that will visit the newspaper's site on a daily basis to see what's happening in their hometown. Once their computers are comprimised, you can work your way all through the company like I mentioned in the previous example.
As you pointed out, you can put the exploit in an image on a website. You want to filter for a specific profile of people, put that image on a website that targets the people close to the people you want to spy on. Put the image in your signature of your account on an islamic fundamentalist web forum. Wow. You comprimise the computers of some innocent people who might actually exchange email with members of Al Qaeda or friends of Al Qaeda. With their computers owned, you've got the ability to add a graphic attachment signature to their email so they start comprimising their friends' computers. Keyloggers are installed, so even if they're transmitting secret messages via SSL, PGP, etc. the content gets phoned home pre-encryption.
Even skipping the forum method for initial seeding of the trojan.. Say you're a spy agency in China that wants to see what kinds of rockets or airplanes Boeing is working on for the US. You have your soldiers walk into the Shanghai Daily News and take control of the web server computer for ten minutes. Add a directive to
If spy agencies aren't using this exploit, they're slacking bigtime.
Seth
$5 / month hosted VPS on linux = awesome!
Hmmm,
Look,
One upon time ther was a firm named inslaw I remember someting about a spider program can collect data from various db systems.... They sunk, after that Dec rose, with their uber VMS VAX machines with backdoor. Long before google ther was altavista which developed by Dec. After sunk of Dec, Microsoft rose. And guess what, another backdoor.
me smokes what ?
[My english is better than most other people's Turkish, so please point out mistakes politely. Thank you.]
The problem encountered by those reporting on the concentration camps was that in the FIRST world war, everybody got exposed to extreme propaganda depicting all germans as vile creatures. When the exaggerations and lies were brought to light, the public had then learned to seriously doubt such extreme accusations. It could be argued that when the reports from Jan Karski (an eyewitness to the ghetto and concentration camp conditions) were dismissed, it was due to that legacy of doubt in 1943.
The reporting during WWI damaged the credibility of all reporting during WWII.
jcr (53032): Allied propagandists didn't have the imagination to come up with anything like the holocaust.
They most certainly did have the imagination, but they realized that they did not have a willing audience for such accusations. Successful PR cannot be had with seemingly wild claims, especially if the organization has been shown to greatly overexaggerate in the past.
This is not my sig.
Read the Gibson transcript and then read the Microsoft page describing the exploit. Notice anything? Either this backdoor was intentionally placed in Windows by Microsoft or it was placed by a rogue coder which Microsoft failed to catch. If it was done by a lone nut, the Microsoft 'Security Bulletin' wouldn't say stuff like "Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, the vulnerability is not critical because an exploitable attack vector has not been identified..." since the back door code is NOT PRESENT in Windows 98 et. al. No, Microsoft would say stuff like 'this flaw is only present in Win 2K/XP.' Instead, Microsoft goes on with "For these versions of Windows, Microsoft will only release security updates for critical security issues. Non-critical security issues are not offered during this support period." Looks like the 'non-critical' stuff is just a cover for Microsoft to explain why the 'flaw' is not patched in Windows 98.
The backdoor looks like it was intentionally placed there by Microsoft and they are not coming clean about it. Microsoft is singing the same tune as Sony did about their rootkit. Not only that, they are even using it as an excuse to tout upgrading to Win XP when they say: "It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities." This is pure evil.
Bill Gates actually has a remote control hidden in his bra which will cause all the PCs to rise up against humanity, just like Mom in Futurama.
William Gibson is more believable than Steve. I'm still awaiting his predicted raw sockets apocalypse.
I'm as big a Microsoft sceptic as you're likely to meet but Steve Gibson is nothing more than a self publicist with enough technical knowledge to scare anyone susceptible to sensationalism.
Word will read WMF files, and a large number of machines running MS Operating Systems have also tended to have word.
I can't test it offhand, but is there perhaps a way to embed a WMF for display from a webpage as well (no IE here to test that).
Perhaps this was put in long ago by a forgotten programmer as a way to add or fix functionality. Never documented as such and the reason for it has been obscured by time.
1. Why is the executable "code" loaded from the wmf file?
2. Why is a new thread created to run the code in the background?
3. Why is an impossible size of 1 used as the trigger for doing this?
4. Does the above activity actually cancel print jobs? If not, why is it inside SetAbortProc() which is documented by Microsoft as being used for cancelling print jobs?
5. Was this "feature" utilized by Microsoft on any customer's PC before public disclosure? If so, in what ways?
6. Did Microsoft inform anyone of this "feature" before public disclosure? If so, when was the earliest date and to whom?
As far as I could tell the only evidence present that the vulnerability really was a backdoor was the fact that the message length needed to be set to *exactly* one in order for the vulnerability to work. Presumably the argument then runs that poor coding wouldn't generate such a specific effect so it must be a delibrately coded back door.
This, however, overlooks many other possibilities and, unless there is other evidence I am unaware of, suggests an ignorance of security vulnerabilities by those making the suggestion. Frequently security vulnerabilities result from data being interpreted in an incorrect fashion as a result of pointer munging or memory collisions. Often some perfectly innocent piece of data (like message length) will get used as an index into some table or mistakenly used in stead of the correct variable in some test and cause incorrect execution or privelege escalation of the user's code.
Even if there is reason to believe this isn't a simple code error like this there are many other explanations other than microsoft or an employees malevolence. For instance imagine this situation:
Initially Metafile execution is designed to execute code in the fashion of the vulnerability with no requirement on the header length. This is perfectly plausible if it was programmed by some new hire without much awareness of security. Hell, it could be a bug introduced to do some sort of debug or get something up and working fast which just got left in the codebase. I'm sure all of us have made a change to our code that screws over security just to do some testing and sometimes people forget about it or get fired.
In any case this security issue in the code base is there and some other parts of windows start relying on it. The security experts eventually notice the issue but by now other parts of windows will break if it gets fixed. Perhaps then the deciscion is made to partially patch the vulnerability but leave a special value for some fields which triggers the old behavior so as not to break the other parts of windows. If this is the case it would explain microsoft's recluctance to patch 95 and other old systems, because a patch would require rewriting some significant part of the system.
Perhaps microsoft even intended to fix the vulnerability but the blah-blah group asks the metafile group to leave in a workaround (the special values) so they can continue to work on the rest of their component. Maybe then the groups are late to the deadline and forget about that issue in their rush. Or perhaps by this time the group members who knew about the workaround have left and no one knows to go back and remove it. Or maybe this is fixed as part of some larger patch applied to the source tree and when it breaks the build late at night and someone calls the metafile team whoever answers doesn't realize its a security issue and backs out the change but forgets to tell the people who made it.
Whether or not I have the details right the point is clear. There are a hundred innocent ways for this sort of vulnerability to arise. It is silly to jump to the conclusion it is an intentional backdoor.
If you liked this thought maybe you would find my blog nice too:
I wouldn't put it past someone to make this allegation just to get slashdot subscribers to their podcast.
I don't know these people though (but do like thier podcasts) so it would be hasty of my to accuse them. However, I'm not sure I would be above doing something like this so other people out there might not be too.
If you liked this thought maybe you would find my blog nice too:
"What you would expect is that when Windows is reading a WMF
file, and the MetaFile ESCAPE code is encountered, followed by
the SetAbortProc subcode, there would be an argument specifying
a Device Context and a second argument pointing to a user-
provided function that is to be executed in the event of a
printing abort."
No, that's the last thing that anyone with software engineering knowledge would expect. What the hell use is a pointer to a function (or indeed a device context) going to be if you open the file in a different app? The only way you could possibly have a meaningful abort proc in a stored file would be with inline code.
Man, this is one of those times I'm glad I live in Canada, we only got linux up here!
I feel the need to point out that there was a patch for Windows 3.11 File Manager issued some time in 1999 or something to fix a Y2K bug in the date renderer (it was rendering ':0' for 2000, for instance. This is because it was doing (((year - 1900) % 10) + '0') to get the ASCII character to print, and year = 2000 gives (10 + '0') or ':'.
So we all know what this means, right?
From now on if anyone finds a security hole in Windows (or in any other app for that matter) it is of high importance not to disclose this to the world, because you would help the terrorists and destroy a tool to fight them. First check back with the NSA, CIA, FBI, Secret Service, local police, Navy, Army, Marines and any other service you can think of that protects the homeland and ask them if it was their doing. If they deny it keep your mouth shut anyways, because they might not want to tell you.
ENOUGH. Gibson was right about raw sockets.
After the relentless pounding and smearing of Gibson, Microsoft quietly disabled the raw sockets code.
Gibson was right. They fixed the problem.
Jesus, it's like arguing with 20,000 Bill O'Reilly's. Truthiness! Gibson is a maaaaadddmaaaannn!
And since people rarely followup to what they think is truthy, they missed the fact that the only reason the Raw Sockets disaster didn't happen is because MICROSOFT QUIETLY FIXED THE PROBLEM, JUST. LIKE. GIBSON. SAID. THEY. SHOULD.
Damn, I wish I hadn't moderated this thread. ACing sucks.
ENOUGH. Gibson was right about raw sockets.
After the relentless pounding and smearing of Gibson, Microsoft quietly disabled the raw sockets code, whatever the hell it was.
Gibson was right. They fixed the problem. He was right, The Reg was wrong.
Jesus, it's like arguing with 20,000 Bill O'Reilly's. Truthiness! Gibson is a maaaaadddmaaaannn!
And since people rarely followup to what they think is truthy, they missed the fact that the only reason the Raw Sockets disaster didn't happen is because MICROSOFT QUIETLY FIXED THE PROBLEM, JUST. LIKE. GIBSON. SAID. THEY. SHOULD.
And as for being a top security professional, something he never claimed to be - he's a developer - what makes you all think that the very best security people at the NSA and Microsoft don't already know all about the exploit, because it's one of the many that they placed there in the first place?
Listen, everyperson, Microsoft has cooperated with Justice, the FBI, the NSA and all the other alphabet boys since the beginning. Windows and Office are monitored at will, you can bet your last god damned dollar. Can you imagine MS refusing to cooperate, especially during a ten year monopoly trial??
(originally posted as AC because I'd moderated; however, even posting as an AC, the code retroactively undid my moderation. Didn't know that would happen. A little warning, Slashcode?)
where you waif that right.
I really think kate moss doesn't have anything to do with this, despite the recent press tizzy.
music lover since 1969
c'mon, if the code is in a website, google must know about it.
r
e
and by the way, who in the world uses WMF in a website?!?! This is more suspicious michael jackson in a child porn scandal.
but, here, here is your guilty people.
http://www.google.com/search?q=filetype%3Awmf+doo
here are some more
http://www.google.com/search?q=filetype%3Awmf+cod
i bet that all those windows meta files (suspicious name for an image, uh?) are full of malicious code.
Never ascribe to malice that which is adequately explained by incompetence. Napoleon Bonaparte
better is the enemy of good
"Applied Cryptography" -- a good introduction to the subject of cryptography; quite readable.
Maybe that code is in that leaked Win2K source code that got leaked (it did didn't it or am I crazy?)... maybe someone that has it can look there and see what the code actualyl does from a source perspective...
IBM provides support for portions of its mainframe OS that are several decades old.
For a hefty penny of course... if you want it free, you have to upgrade.
I don't want this to sound like I am too "Pro-Microsoft" (I'm not). If Microsoft intentionally put the vunerability into their product then there must be a reason why. That is the question that I would like someone to answer because it does make all the difference. The question goes straight to motive.
If the vunerability was an accident it was stupid and it needs to be fixed. I don't necessarily buy Gibson's reasoning but, I can see how he got there and that is enough to be troubling to me.
Did some rouge programmer think "This is a cool idea? and against the rules just stuck it in there? I can't believe that Microsoft gives anyone that kind of autonomy. They have to have far better code review policies than that. That is harder for me to believe than anything else!
Did some group think that this backdoor coupled with some other software could be used for some acceptable purpose in the future? Did someone say "Hey, with some code off of the Genuine Advantage web site we can use this to disable some features on computers that are running pirated software. This is only an example but I hope you get my point. I can see how something like this may be considered and discussed. I'm not so sure it would make it past the lawyers though. Maybe it was started, aborted, and this was a trace that was forgotten about and slipped bye? This sounds a little far-fetched but I have seen useless bits of code left behind in other coding projects. I'd buy something like this even though it sounds like something out of a bad movie.
Did the NSA or some other agency approach Microsoft and ask to have something like this put in their code? We know that they have asked for encryption code before so that they could examine it so maybe this kind of idea isn't so strange? An exploit that the government knows about could give them a significant advantage in cyber-war. Frankly, this sounds like a Tom Clancy wannabe's plot for a novel. But it could happen.
Honestly though all of this stuff sounds like conspiracy-theory stuff to me. My guess is that it is more innocent than all of that. I'd guess the exploit is a leaving. Something that got left behind from some piece of code that simply didn't make the final cut.
I'd just like Microsoft to explain themselves this one time. Completely, thouroughly, honestly. Then they can tell us what they will do to ensure it won't happen again.
Buyer beware.
It's just the number "1" in a size field - apparently only values 3 and higher are valid, but Steve is saying this *must* be intentional because the vulnerability doesn't work if 0 or 2 is put in there.
Geez, I've had legitimate bugs that have presented far weirder triggering conditions than that.
(Defending Microsoft - only on Slashdot. Ok, so some monkees tapping on a keyboard while the programmer wasn't looking snuck this code in ;)
First of all, Gibson is no bomb thrower, he's uncovered some pretty serious security issues with Microsoft. I'd suggest reading his web site - he's a very thorough person, and doesn't make any wild unsubstantiated, naive, biased claims, like, say, Slashdotters. He's a long time Windows user, not a Mac fan, nor an open-sourcer (at least until recently, for reasons like this)Now, to quote the transcript, curious where you would even be able to make the claim that that this *isn't* a backdoor:
Yeah, he's saying this is a deliberate backdoor. Listen to the article or read the transcript, then think about it a little. Now, he's not saying *what* Microsoft put this in for. Did someone put this in for testing -that's my take, from a programmer perspedctive but .. who the heck knows. That's sorta the problem with proprietary software, we might never know. Buyer beware.
IIRC WMF is used as the format for print files a long time ago (at least until they went to EMF)
:o
I'm guessing WMF support is kept in windows to allow old 16-bit applications to print as they rendered a WMF print file in the application to spooler process.
Part of the setabortproc allows registering the call back to the application... I'm assuming way back when there wasn't any common control for this so the devs for the app generating the print job would put in some code that would jump to their process and execute, for example a box that said, you cancelled printing that check would you like to remove the entry in the register? or a REPRINT? box etc...
Any old 16-bit win 3.1 devs out there that worked on WMF and the print subsystem? This is just my wild ass guess but I think it's a darn good one.
Geez, I'm really curious why every time there's a Microsoft security issue, all the Slashdotters run to the defense of Microsoft (while at the same time patching their system one must assume). Gibson a Bomb Thrower? So MS Blaster is no big deal? All the noise about raw sockets - and yet - this was one of the big fixes for "service" pack 2? Really people, I gotta wonder. Obviously you are not in charge of any secure networks, or maybe y'all are running Unix.
Uh, you obviously don't know Gibson. He's not some idle slashdotter, he's a hacker in the true sense of the word, does all his coding in assembly, and is seriously familiar with the internals of windows, as a long-time Windows user.
The point everybody here is missing, as all the Microsofties come out of their holes, and take a break from patching their systems, is that Gibson is not saying Microsoft is spying on you dimwits (although who knows, maybe they can) - he's merely saying this is a backdoor - he hasn't a clue why they put it there - but - and get this straight - it _is_ a backdoor. RTFA. Who wrote it, why, well never know, that's the problem with closed source.
Since this code goes back a long time, what exactly was/is Windows using WMF's for ? If this code is around since before 1992 ; then a computer environment in those days would be a couple of computers networked to a company server, and a printer server. No or little e-mail, WWW etc.
* Inside Word documents
Put an official looking document on a company network server, user opens the document and code is executed on his/her terminal. Nice for installing spy tools & keyloggers, even if the user rabitly protects his/her computer.
* Printer drivers ?
WMF's are for print job preparation, did any every get executed inside a network server before handing it off to the laser printer? Probably not? since windows printer drivers on the clients do most of the formatting/raster work. Would be nice if you could get a Windows NT server to execute your code by just printing a file on the network, completely wiping out any security.
Just some thoughts without ANY fact checking.
We've blogged about this already providing the background of the bug:
4 17431.aspx
http://blogs.technet.com/msrc/archive/2006/01/13/
I emailed Zonk about it but I don't think he's had a chance to update the posting.
Long story short the idea that this is intentional rests on the premise that only an incorrect value produces the vuln. That is totally wrong, both correct and incorrect values trip the vulnerability. Besides doesn't it seem odd to create a backdoor that would require the user to first visit a website? What, were we going to take out a superbowl ad suggesting people visit www.microsoft.com so we could...uh...what exactly?
S.
http://www.stepto.com
The NSA is (in theory at least) legally forbidden to spy on Americans.
I'm sure they can legally ask the Canadians to spy on 'suspects', and probably return the favour. The intelligence communicities of several countries are very tightly integrated, so I'm sure they have no problems getting around these little legal problems.
Like all pain, suffering is a signal that something isn't right
Think of a bug. Crashes your system, or something goes awry. But execute the code at the next byte after the SETABORTPROC, in a data file, where SETABORTPROC makes no sense, when you set the record size to 1, and impossible value? Nah, that's not a bug, that's more like what a hacker *tries* to do on purpose, think of a Buffer overrun exploit, here Micorsoft made it easy. [Now, with all the howling and outcry about this, understand the Gibson is *not* saying _why_ this code is here, he's only saying it's a backdoor. No conspiracy stuff, Microsoft out you get you. Best guess, this is more along the lines of the Wal * Mart hacker futzing with the keys in the whole Planet of the Apes fiasco. Who wrote it? Why? Who knows? That's the issue with closed source.]
With SETABORTPROC, this is a callback, you are handing windows a pointer. There are two things that Steve points out, if you read the article (sigh, this is Slashdot, I know): There is no point for the SETABORTPROC record to be in the file, it makes no logical sense. It's a callback, a common technique used for one process to communicate with another, in this case when you cancel a print job, it's a way for Windows to make a "callback" to the application to say, hey, the user quit printing. But it makes no sense in a WMF...except...
And secondly, unless you set the size of the record to 1, which is an impossible value, it doesn't work.
Now think for a minute, how you write backdoors. You don't use a possible value, the programmer here is kindly making sure you can't just happen to fire this off, if you also happened to have a SETABORTPROC unecessarily in your file. Design by Contract, Microsoft Style ;)
You mean like those concentration camps the United States government has put in place since 9/11 to coverup its security holes?
Hardly. He gives thorough reasoning behind his argument. Yes, it was unintentional if you believe a bunch of monkees tapping on computers wrote the Windows OS. On the other hand, if someone wrote the code, this was not a bug, it's a feature. I like to call it a "Buffer Overrun On Purpose" or something like that.
The whole Escape/SetAbortProc vulnerability is built around some (admittedly stupid) functionality in WMF files. WMF files have the ability to set an application callback function for an abort condition.
It's very simple, really. This record makes no sense in a WMF file. Requires an impossible value? Microsoft didn't want to fix it? It even creates another thread? C'mon, end of story.
So I'd be really interested why his very substantiated claim, you say is wildly unsubstantiated. Simply don't believe it? Better yet, I don't really care. Steve Gibson (read his stuff on DOS) has credibility. Lowly Slashdot kiddie? I not care. Whatever, now go back to patching your Windows box.
Ok, so you don't think DOS is serious? Or the MS Blaster worm? Cuz he was one of the guys to squawk about this, and Microsoft did come out with a patch. Why do folks defend Microsoft? Are you worried that they might lose money fixing their code? I mean, what's the deal people?
He loves to cry about the end of the digital world type scenarios, perhaps because he really believes it, or perhaps because it gets him more business.
What end of the world scenario? Care to print a link. Yeah, like got any evidence, any source for your statement? Just curious.
Now if you're talking about Microsoft's lousy security, and that Gibson thinks Microsoft should fix their crap, well, you got that right. Further, thing of it is, the U.S. is not very serious about cyberwarfare, but China is. And someday you might want to thank people like Gibson.
My SMC router lets me block a URL based on keywords, so I set it to block ".wmf" - problem solved :)
And then there is "Marshall's Axiom": :
Which I think is an even better explanation for how the WMF vulnerability came about.
I do not deploy Linux. Ever.
Actually not just Gibson, but other security folks f-secure, call this a "feature". I mean c'mon, you should be thanking MSFT, this is a great 'hook'.
(disclaimer - fictional scenario)
Steve: Hey Microsoft! Raw sockets are stupid!
Microsoft: Shut up and Go away.
Steve: Hey Slashdot! Microsoft doesn't care about security!
Microsoft: Steve is an alarmist! Check out QRCSux! Our stuff is like fort knox! Besides, it's the problem of the code, it's hackers who are the bad guys! [months later Microsoft goes back to Redmond, fixes code, costing them a pretty penny, and infuriating customers with massive, buggy patches. business as usual.]
Make that wasan MS guy. Not that he would abandon his bread and butter, but he is definitely seeing the advantages of open source:
First of all, I like how they compare the Windows Metafile as any other "Device Context", like the conventional 'display' or 'printer'. Yes, there were days that some applications 'drew' onto files so that they could be reliably duplicated on the remote side to which they were sent. I'm sure this was a most valued feature for anyone who developed any type of 'Fax' software back in the 90's. Draw to a file, send over the wire, etc.
Should a callback be received if writing to the file was cancelled? Yes indeed. After all, who wants their fax machines cluttered with useless partial faxes that were cancelled midstream. (The fax machines already had a bad habit of doing that over bad lines at times and thermal paper wasn't cheap!)
Now, is there a conspiracy to use the '1' in the file format to make a callback as this person claims? Well, I seriously doubt it was a conspiracy; however, I could definitely imagine that a "real programmer" during the time that this development was going on, might have put a 'shortcut' in the code in order to 'debug' the chunk of a file quickly in order to make sure that things were working (as far as callbacks go) without going through all the motions. Perhaps this code was left in inadvertently or was continuously used for testing; I seriously doubt it was some 'wormhole' in space-time to take over "all the computers of the past."
I would like to see the person making this claim use his debugger to reverse engineer the assembly which made the call into his application in order to determine the logical paths used to decide what the code did or did not do based on his file modifications. Who knows, there may be exploits abound for any OS or application (especially linking loaders) that aren't careful about examining each and every bit, and in the right order on the right day at the right time. That even goes for CPUs that are executing instructions.
Is Microsoft trying to take over the world? Nah, it's probably Google. I bet they have first dibs on the Quantum chip too.
It has to do with whether the version comes by default with a program that can be exploited or not, and apparently this includes Windows ME.
"Trusting Trust" can also be applied to one's children. Perhaps programming isn't just limited to typing on keyboards and clicking on mice.
I suppose you have to chalk that up to someone who is more so versed in 'hardware' than they are in software itself.
Sun is ending support for INTERACTIVE UNIX System, V/386 Release 3.2 Version 4.1.1 on July 23, 2006. This OS was listed as a legacy OS in a 1995 Sun press release for Solaris. Sun is still providing patches for an OS that predates MS Windows 95 and NT 4.0.
All Sun Solaris versions are UNIX System V Release 4. SunOS (pre-Solaris 2.5) was BSD derived. Solaris 2.5.1 was introduced in 1996 and Sun still provides patch clusters for it. I believe that Solaris 2.6 is still fully supported - and it was introduced in 1997.
I worked on pdp-11's in the late '70's. I also had a Timex Sinclair in 1983 with the membrane keyboard (and the memory extension that plugged into the back), it was interesting. The one computer that I regretted buying was the TI99-44.
Ah yes, so it's a backdoor. good, that makes it alright then. Silly us getting worked up about a security hole which never was!
On a long enough timeline, the survival rate for everyone drops to zero.
Besides doesn't it seem odd to create a backdoor that would require the user to first visit a website?
I think that is the best comment on the whole subject, what sort of backdoor is it when you require the user to activate it for you.
BOO
you know... where you compare something/someone to Adolf Hitler/the Nazi party and then the discussion promptly ends? (see Usenet)
One thing I find interesting about your scenario is that it does not in any way require that the "agents" actually be government agents--it's just as easy for it to be some random (terrorist?) group with nefarious intentions and some black suits.
Dan Aris
Fun. Free. Online. RPG. BattleMaster.
His conclusions once again are completely incorrect.
4 17431.aspx
See the following post for why this occured.
http://blogs.technet.com/msrc/archive/2006/01/13/
But at least in this case, Gibson or someone like him will be all over the patch, so if there's anything even slightly fishy going on it'll be exposed in no time.
Ummm... sorry, you lost me there. How does leaving a new backdoor help Microsoft avoid antitrust prosecution? Or am I just reading it wrongly?
Yar.
Do you actually think that such prosecution would take place? I sure don't think so! Why would the AG or a Grand Jury go after one of the most powerful corporations in the state?
Remember, while Microsoft may have only harmed/wronged those in other states or nations, they are an important source of employment in the state of Washinton. Not only that, but they pay taxes. And it does not help the government to purposefully harm anyone who sends it significant chunks of change.
Again, the fact stands that lawsuits or legal action either won't happen, or aren't the best possible ways of dealing with this situation. The best way would be for those affected to boycott Microsoft. It's a far more effective and direct way of handling such an incident. There is no need for legality when the market can easily deal with the situation.
Cyric Zndovzny at your service.
Well a couple of random thouhts:
;-)
1. Many, many government agencies use MS software for most of their operations. This story exposes the fact that MS has had a backdoor into all those agencies for some 15 years. Sure, they can close this door, and send all those agencies upgrades. But how does anyone outside MS verify that the upgrade isn't installing a new backdoor?
2. The US government now has a policy of unwarrented spying on citizens. A backdoor into the most common comuputer systems is tremendously useful to that government's investigative agencies. Closing such a backdoor in non-government systems would be a slap in the face to all such government agencies, and would certainly lead to retaliation. Unless, that is, an alternate entry to non-government systems is quietly provided. And this has the advantage for MS that, should the feds threaten antitrust action, MS can just mention that they can again expose the backdoor and distribute a patch that closes it, killing the government's spying operations that used the backdoor.
If you think this is paranoid, you have't read or watched enough spy thrillers.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Say...how's that mod bomb working out?
Loser.
____
~ |rip/\/\aster /\/\onkey
Just because you're paranoid, doesn't mean they're not out to get you :)
I like your second reason... it's paranoid, but it's feasible.
Yar.
Please remember to take your medication.
"I'm just here to regulate funkiness."
Blatantly lifted from The Register
Contrary to a recent rumor circulating on the internet, Microsoft did not intentionally back-door the majority of Windows systems by means of the WMF vulnerability. Although it is a serious issue that should be patched straight away, the idea that it's a secret back door is quite preposterous.
The rumor began when popinjay expert Steve Gibson examined an unofficial patch issued by Ilfak Guilfanov, and, due to his lack of security experience, observed behavior that he could not explain by means other than a Microsoft conspiracy. He then went on to speculate publicly about this via a "This Week in Tech" podcast, and on his own web site. Slashdot grabbed the story, and the result is a fair number of Netizens who now mistakenly believe that the WMF flaw was created with malicious intent.
What it is
We think it's time that this irrational fear is put to rest. First, let's look at how the flaw works: A WMF (Windows Metafile) image can trigger the execution of arbitrary code because the rendering engine, shimgvw.dll, supports the SetAbortProc API, which was originally intended as a means to cancel a print task, say when the printer is busy with a very large job, or the queue is very long, or there is a mechanical problem, and so on. Unfortunately, due to a bit of careless coding, it is possible to cause shimgvw.dll (i.e., the Windows Picture and Fax Viewer) to execute code when SetAbortProc is invoked.
A metafile is essentially a script to play back graphical device interface (GDI) calls when a rendering task is initiated. Unfortunately, and due entirely to Microsoft's carelessness whenever security competes with functionality, it is possible to point the abort procedure to arbitrary code embedded in a metafile.
Gibson could not imagine why WMF rendering should need the SetAbortProc API, since, as he mistakenly believed, WMF outputs to a screen, not a printer. In fact, it can output to a printer as well. But following Gibson's erroneous assumption, the question arose: what would be the point of polling the process and allowing the user, or application, to cancel it?
Having exhausted his imagination on that score, he concluded that there's no good reason for SetAbortProc to be involved in handling metafiles. The more logical explanation, Gibson reckoned, was that someone at Microsoft had deliberately back-doored Windows with this peculiar little stuff-up. And besides, the idea of compromising a computer with an image file seemed quite cloak-and-dagger, adding to the supposed "mystery."
To anyone well acquainted with Windows security, hence Microsoft's insistence on ease of use whatever the cost, the idea of intentional mischief along these lines is immediately suspect. Microsoft still encourages users to run Windows as administrators, because it believes that logging in is too much trouble for the average point-and-drool civilian. It enables scores of potentially dangerous networking services by default, lest anyone struggle to enable them as needed; and its security scheme for IE - which, instead of distrusting Web content by default, forces the user to decide whose content to trust and whose not to - is essentially a means of skirting responsibility by blaming the victim for the crushing burden of malware they are carrying.
Microsoft has made a pudding of security from its earliest days, and no amount of malicious intent can possibly account for this. The company's obsession with ease of use is more than adequate to account for this and thousands of other security snafus like it.
Furthermore, the WMF flaw doesn't make for a good backdoor, assuming that one would like to target a user, or class of users. For example, IE is not in itself vulnerable; the problem comes when the system renders online WMF files with shimgvw.dll. So luring a Windows user to a malicious web site is no guarantee that they will be affected, while many others, who are not targets, might well be affected. Simil