Slashdot Mirror
WMF Vulnerability is an Intentional Backdoor?
An anonymous reader writes "Steve Gibson alleges that the WMF vulnerability in Windows was neither a bug, nor a feature designed without security in mind, but was actually an intentionally placed backdoor. In a more detailed explanation, Gibson explains that the way SetAbortProc works in metafiles does not bear even the slightest resemblance to the way it works when used by a program while printing. Based on the information presented, it really does look like an intentional backdoor." There's a transcript available of the 'Security Now!' podcast where Gibson discusses this.
This does look awfully like a special-case trigger. The idea of a backdoor is to have it look for a specifically crafted but completely nonsensical and invalid input sequence -- this serves as the "key" to the backdoor, ensuring that no other designer or user accidentally stumbles onto it. Since we assume that legitimate users and developers will only provide valid input, we design our "key" to be definitely invalid. For me, that length==1 trigger is the most convincing evidence. It's not just that it's the wrong input, it's that it's the one specific value of wrong input that triggers the behavior. That seems like design.
A lawsuit is not the answer to everything.
The Blaster Master Fighting for Truth, Justice, and Evil Pie since 1979
I agree with the author that the length prefix is something of a smoking gun. It begs the question of "how do we know it was fixed..." For example, they could change it to execute the datastream when length is set to a new trigger value; or a stronger backdoor would ignore any unsigned code. Still there, but harder to test for.
It's a straightforward way to add a backdoor that will bypass firewalls, etc. It can be triggered by a browsed page, email, etc. It's better than gif/jpeg encoding because those are more "platform independent." and the payload would be more likely noticed by a 3rd party decoder.
On the other hand, isn't this flagged as an attempt to execute code on a data page?
Also, if it were official, doesn't MS have easier ways into a general box - say through security updates, or even the entire existing code base?
Actually, I think Microsoft will go after Gibson's reputation.
It's nothing like that actually, you are comparing apples to supernovas.
~S
For me, that length==1 trigger is the most convincing evidence.
I don't think it's surprising that a piece of code might behave in an odd way if it's given invalid input, i.e., if a buffer length is wrong.
I think the real giveaway here is that Windows creates a new thread when presented with this magic length. That's like rolling out the red carpet for the attacking Huns. I don't think the average buffer overflow type exploit gets it's own thread or process.
And of course it's still possible that it was all a mistake. The C language can be used to write some extremely tangled code, if one is so inclined. Something like an incorrectly used setjmp/longjmp could have effects like this.
This seems to be only useful if MS itself wanted to use it. Use your imagination as to what they'd do with it. I can think of all kinds of things.
"terrorism" and "pedophilia" are the root passwords to the Constitution
If it were intentional you'd think they would have been able to patch it a little more quickly.
Who writes an evil backdoor, which dates back to Win3.1 days (when you didn't NEED an evil back door, and Windows had no clue what this Internet thing was about), and then DOCUMENTS it?
Lest we forget that Wine also proved vulnerable, and it was a clean-reimplementation of the specs!
Test your net with Netalyzr
The name means nothing. It's the facts that matter. Whether he is a one-day hacker or some looney, he discovered that for Length==1, (a completely invalid value that makes no sense for WMF's), Windows creates a new thread and starts executing the code.
IMHO your "debunking steve gibson" site is nothing but a smokescreen to divert the attention from Microsoft's vulnerabilities and backdoors.
"A lawsuit is not the answer to everything."
Since profit is all a corporation cares about, suing away those profits is the only way to punish it.
$8.95/mo web hosting
Yes, because it's impossible for an identical problem to exist in WINE, and therefore open source solves all problems.
Breaking Into the Industry - A development log about starting a game studio.
I could see someone deliberatly doing this, maybe a contractor or a disgruntled employee.
- How about a totally stupid idea that MS thought was good?
I mean MS has a long history of ignoring security for usability, lock in and whatnot. WMF dates back to close to 10 years, back when MS really didn't give a damn about security. Even after a the big Gates propaganda email and Trusted Computing Initiative and all the hoopla, XP SP2 allows blank passwords for administrators, the user created during installation is an administrator, again if password is blank no one gives a shit. Remote registry is on by default. RPC on by default. Administrative shares are on by default. Not to mention a plethora of completely useless services.
MS just doesn't understand security. This WMF example is nothing different. It's some ancient code that never got looked at. Add to that the fact everyone and his mother is root, AND that the OS is a big bowl of spaghetti (hi2u IE deep in kernel), you get another attack vector vs Windows systems.
Did someone maliciously implement this WMF "feature"? I doubt it. It looks like another regular MS security hole that shows that MS has no clue about security.
"terrorism" and "pedophilia" are the root passwords to the Constitution
A lawsuit is not the answer to everything.
Too true.
This is a case for criminal prosecution. Gibson has uncovered evidence that at face value demonstrates that there has been a conspiracy to defraud Windows users, and possibly to defraud Microsoft Corporation itself. Microsoft's internal documents would identify the coder(s) involved in this deceit, and possibly other conspirators.
I think it is time for the Washington State Attorney General to give this to a Grand Jury. (IANAL, but I think it is the business of a Grand Jury to determine if a crime has been committed in this kind of circumstance).
Let a Grand Jury hear this evidence and decide whether it appears that some person(s) deliberately set out to violate the privacy of Windows users.
Germany, being told all these horror stories about how evil the Nazis actually were, and then coming upon a concentration camp and finding out that these stories were real after all.
The stories Allied soldiers were told about the nazis paled in comparison to what they saw in the camps. Allied propagandists didn't have the imagination to come up with anything like the holocaust.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
"terrorism" and "pedophilia" are the root passwords to the Constitution
Actually, Gibson is saying he doesn't know if previous versions are exploitable or not. In fact he's counting on not, since that's the only way to determine when the "backdoor" was inserted. Gibson is a bomb thrower. There's no evidence other than his opinion that this is a deliberate backdoor.
Si vis pacem, para bellum
The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
Not only that, but my understanding is that the relevant WMF functions date back to the Win3.0 era (maybe Win2.0, not sure -- the earliest date I've seen was 1991) and in any event, long before M$ had much of a clue about the internet. And long before OS "back doors" became a common worry, too. M$ simply doesn't plan that well when it comes to how stuff is used/affected by an OS, and in fact tends to come late to the bandwagon.
Furthermore, if Gibson is so sure of himself, why isn't his own test utility available to everyone? (Apparently it was only available to Laporte's listeners... not likely to be the most unbiased audience.)
Net result: I knew Gibson's tinfoil hat was a trifle snug, but now I'm sure it needs a complete refitting.
~REZ~ #43301. Who'd fake being me anyway?
Most Windows computers at one point have connected to Windows Update, also IE defaults to MSN, isn't there a getting started page as well when you first open IE after install?
It's just simple observation to say that the only site that would be consistent on every Windows system is a Microsoft site, somewhat how on my mac I am connected to apple after a clean install when I open Safari. One could say the only site that would be consistent on every mac would be apple.com.
-PS I don't think it was an intentional backdoor.
Get a clue, troll-
If you're going to accuse someone of trolling, you want to be pretty sure about your facts.
if you have a blank admin password, XP prevents ANY remote network access using that account.
Hmmmn, thats an interesting band-aid.
You are actually more secure with a blank password.
Really? More secure with a blank password? I doubt it.
Would make privilige escalation pretty damn easy after you'd hacked a user account.
And it makes all that least priviliged user stuff that MS goes on about a little irrelevant too.
My pics.
I'm not quite sure why they'd want to use it. End-users already trust Microsoft implicitly because they made the operating system, so if they wanted to, for instance, install some software on all Windows machines that reports home if it detects a pirated copy, they could just do it through a service pack update. Most people would willingly install it (or click the little automatic button in Windows Update), and there'd be none of this Tom Clancy technothriller intrigue.
I can't personally think of any kind of official reason why Microsoft would want to shove code onto Windows machines just from visiting their website. They've got tons of other ways of doing this.
(Defending Microsoft - only on Slashdot. Ok, so some monkees tapping on a keyboard while the programmer wasn't looking snuck this code in ;)
First of all, Gibson is no bomb thrower, he's uncovered some pretty serious security issues with Microsoft. I'd suggest reading his web site - he's a very thorough person, and doesn't make any wild unsubstantiated, naive, biased claims, like, say, Slashdotters. He's a long time Windows user, not a Mac fan, nor an open-sourcer (at least until recently, for reasons like this)Now, to quote the transcript, curious where you would even be able to make the claim that that this *isn't* a backdoor:
Yeah, he's saying this is a deliberate backdoor. Listen to the article or read the transcript, then think about it a little. Now, he's not saying *what* Microsoft put this in for. Did someone put this in for testing -that's my take, from a programmer perspedctive but .. who the heck knows. That's sorta the problem with proprietary software, we might never know. Buyer beware.