Slashdot Mirror
WMF Vulnerability is an Intentional Backdoor?
An anonymous reader writes "Steve Gibson alleges that the WMF vulnerability in Windows was neither a bug, nor a feature designed without security in mind, but was actually an intentionally placed backdoor. In a more detailed explanation, Gibson explains that the way SetAbortProc works in metafiles does not bear even the slightest resemblance to the way it works when used by a program while printing. Based on the information presented, it really does look like an intentional backdoor." There's a transcript available of the 'Security Now!' podcast where Gibson discusses this.
Is it like a rootkit but placed by microsoft itself ..Grrr.
They called me mad, and I called them mad, and damn them, they outvoted me. -Nathaniel Lee
Its happened before and it will happen again. Whether this is the case remains to be seen.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
Well, how else is the NSA going to fight terrorism?
There was talk about the NSA/CIA having a close relationship with Microsoft and being able to exploit backdoors in Windows. This could have all been conspiracy theories, but the fact that this vulnerability existed throughout the Windows line kinda seems odd..
If this isn't a glaring example on why you should support open source, I don't know what is....
From TFA: You mean user action like...say...opening a web browser?
Anyway, this is freaky interesting, because if this is actually true, it's pure, unvarnished evil. I't a lot like the Allied soldiers who were fighting in Germany, being told all these horror stories about how evil the Nazis actually were, and then coming upon a concentration camp and finding out that these stories were real after all.
Steve makes an excellent case with his diagnosis, but I'd love to see his findings verified by a few other agencies. This is too important to leave to one researcher.
I, for one, am going to be following this story avidly. Any bets on when M$ issues a statement that a 'rogue programmer' put this code in, and disaavow any knowledge or responsibility?
____
~ |rip/\/\aster /\/\onkey
This does look awfully like a special-case trigger. The idea of a backdoor is to have it look for a specifically crafted but completely nonsensical and invalid input sequence -- this serves as the "key" to the backdoor, ensuring that no other designer or user accidentally stumbles onto it. Since we assume that legitimate users and developers will only provide valid input, we design our "key" to be definitely invalid. For me, that length==1 trigger is the most convincing evidence. It's not just that it's the wrong input, it's that it's the one specific value of wrong input that triggers the behavior. That seems like design.
This Steve Gibson ?, yeah he is a real security expert, along with his podcast boy wonder we have much to be afraid of
How about a link to information on the "other" intentional back doors that exist?
*looks at clipboard*
Ok Goatse linkers, thats your cue.
Where does the school board find them and why do they keep sending them to ME?
Yeah, SetAbortProc is used for cancelling print jobs. Here is the MSDN documentation: SetAbortProc
The freakish thing about this, is that if it is indeed a backdoor, it an odd way to go about it. You can't force someone to try to view a WMF. What would its purpose be? You can't use it to get into the exact box you want to, just into a random box that perhaps picks up your WMF from a webpage, or displayed in an application.
That's why they're bugs. Seriously, I don't think the fact that it behaves differently from how it does in a printer is any indication it was deliberately written that way. More likely this was an attempt to disable the code that went wrong.
I am trolling
It's possible to get to the bottom of this by legal means.
I think it's a beneficial back door- in fact, I wouldn't be at all surprised to find that they'll need to update "Windows Update" after all the patches are in place.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
The notion of a backdoor in Windows isn't new. Perhaps the WMF vulnerability was one of the vectors used by Magic Lantern, which was the code word for at least one of the FBI's keylogger programs. Magic Lantern was notable in that antivirus providers participated with the Feebs in a gentleman's agreement to not look for it.
It's certainly a dumb enough solution that the IT-challenged FBI might go for it.
On relative dumbness and smartness, I'd expect smart spies, namely those who work for two other notable three-letter-agencies, to use somewhat more interesting techniques. If it were me, I'd take advantage of equipment I had in place at critical infrastructure points to conduct MITM attacks between a PC and Windows Update servers, in order to transparently install my spookware on only those machines that specifically identify themselves - by means of GUID or whatever other stuff I could glean from the Windows Genuine Advantage and other DRM-related bitstreams - as belonging to my target population.
Paranoid? If you're not paranoid, you're not thinking far enough ahead.
A lawsuit is not the answer to everything.
The Blaster Master Fighting for Truth, Justice, and Evil Pie since 1979
Please remember this is the same Steve Gibson who claims to have invented a new amazing "nanoprobe" technology for port scanning which he claims is a first to the world and can do just about everything. Of course turns out to just be specially crafted TCP packets with no payload, which nmap has done since forever.
The guy is a massive alarmist and I wouldn't take anything he says seriously. He loves to cry about the end of the digital world type scenarios, perhaps because he really believes it, or perhaps because it gets him more business.
I agree with the author that the length prefix is something of a smoking gun. It begs the question of "how do we know it was fixed..." For example, they could change it to execute the datastream when length is set to a new trigger value; or a stronger backdoor would ignore any unsigned code. Still there, but harder to test for.
It's a straightforward way to add a backdoor that will bypass firewalls, etc. It can be triggered by a browsed page, email, etc. It's better than gif/jpeg encoding because those are more "platform independent." and the payload would be more likely noticed by a 3rd party decoder.
On the other hand, isn't this flagged as an attempt to execute code on a data page?
Also, if it were official, doesn't MS have easier ways into a general box - say through security updates, or even the entire existing code base?
Steve Gibson is not a security expert
http://www.grcsucks.com/
I thought the same vulnerability exists in wine?
4 3203
http://it.slashdot.org/article.pl?sid=06/01/06/20
Isn't this the same Steve Gibson that was freaking out about how Raw Sockets in XP were going to destroy the world a couple of years ago?
/.?
S.G. is a flaming idiot, he looks for (and imagines) ghosts and spooks in every corner. Then flogs his conspiracy theories to promote himself and his buisness. This probably holds about as much water as the "discovery" of cold fusion and Korean human cloning.
Why aren't we reporting on REAL bugs like the 4 security vulnerabilities found in iTunes this week which opens both Windows and Mac users to external attack? Was the Microsoft bashing quota too low this week?
What is becoming of
Contrary to popular belief, coding is not all free blow-jobs and beer. Those things cost MONEY!
Actually, I think Microsoft will go after Gibson's reputation.
I can't believe it, Jim. That girl's standing over there listening and you're telling him about our back doors?
You guys are so dumb, I'd go straight through Falken's Maze.
I just hope David Lightman isn't reading this... we'd only have a few days until it was all over for us...
Dedicated Cthulhu Cultist since 4523 BC.
It's nothing like that actually, you are comparing apples to supernovas.
~S
Sure fine... Behold the Power of Google!
Have Fun.
Navicula hydraulica plena anguilarum est. Omnes castelli tuus nostri sunt. Ed elli avea del cul fatto trombetta.
For me, that length==1 trigger is the most convincing evidence.
I don't think it's surprising that a piece of code might behave in an odd way if it's given invalid input, i.e., if a buffer length is wrong.
I think the real giveaway here is that Windows creates a new thread when presented with this magic length. That's like rolling out the red carpet for the attacking Huns. I don't think the average buffer overflow type exploit gets it's own thread or process.
And of course it's still possible that it was all a mistake. The C language can be used to write some extremely tangled code, if one is so inclined. Something like an incorrectly used setjmp/longjmp could have effects like this.
PJ posted this story over at Groklaw. Many posts replied that, based on this guy's previous record, his accusations are not trustworthy.
Before I believe this story, I want to see independent confirmation by someone I trust.
If it were intentional you'd think they would have been able to patch it a little more quickly.
Who writes an evil backdoor, which dates back to Win3.1 days (when you didn't NEED an evil back door, and Windows had no clue what this Internet thing was about), and then DOCUMENTS it?
Lest we forget that Wine also proved vulnerable, and it was a clean-reimplementation of the specs!
Test your net with Netalyzr
The name means nothing. It's the facts that matter. Whether he is a one-day hacker or some looney, he discovered that for Length==1, (a completely invalid value that makes no sense for WMF's), Windows creates a new thread and starts executing the code.
IMHO your "debunking steve gibson" site is nothing but a smokescreen to divert the attention from Microsoft's vulnerabilities and backdoors.
"A lawsuit is not the answer to everything."
Since profit is all a corporation cares about, suing away those profits is the only way to punish it.
$8.95/mo web hosting
I browsed over several posts on his website and come away with the conclusion that he is a few fries short of a Happy Meal. Here's one posting that I found really amusing:
"Thank you Microsoft for blessing us with a patch to fix the products
you currently sell. The products that compete with Linux and Macintosh.
Excellent job at diverting the our attention away from the fact that
Windows 95, Windows 98, Windows 98SE, Windows Millennium Edition, and
Windows NT4 remain vulnerable. Neat trick convincing people that "the
vulnerability is not critical because an exploitable attack vector has
not been identified that would yield a Critical severity rating for
these versions."
Lemme see here. Windows 95 is 11 years old. Windows 98 is 8 years old. Windows ME is 6 years old. And Windows NT4 is 9 years old. How many other operating systems offer patches and support product versions for software that is that old?
Ridiculous.
I've posted this once today.
1. Remote--root access that does NOT require human intervention or other app running.
2. Remote non-root access that does NOT require human intervention or other app running.
3. Local root access that does NOT require human intervention or other app running.
4. Local non-root access that does NOT require human intervention or other app running.
5. Remote root access that requires some human interaction or some combination of apps.
6. Remote non-root access that requires some human interaction or some combination of apps.
7. Local root access that requires some human interaction or some combination of apps.
8. Local non-root access that requires some human interaction or some combination of apps.
9. Remote OS crash.
10. Remote app crash.
11. Local OS crash.
12. Local app crash.
So, Microsoft's criteria would be equivalent to #1 here. And I agree that it is "critical". It is the WORST possible vulnerability. Which is why I listed it as #1.
But #2 is only slightly less devastating. And if you combine #2 with #3, you'll have the equivalent of #1.
Therefore, ANY remote attack that gives you ANY user level or above access should be "critical".
But who really cares what name you assign them? "Critical", "Red", "Emergency", "Category 1", whatever.
What matters is what avenue is open for attack and what the results of that attack will be.
1,000 level 12 vulnerabilities aren't anything compared to one single level 1 vulnerability.
If it is intentional, I don't see how it possibly got past the Microsoft Security Engineers.
He who knows best knows how little he knows. - Thomas Jefferson
My question is this... If the guy is smart enough to know that windows has kicked off a thread and executed his code, and he's smart enough to experiment with buffer-overflow exploits, why hasn't he stepped through the WMF interpreter code? Could it be that he doesn't want to admit that he has for legal reasons? I know that if I had discovered this problem, that's just what I would do. Call DebugBreak() and you have a call stack. You'd think that the handler for this SetAbortProc function would be pretty identifiable. So... Who's got the balls (or the time, in my case) to do it? That's our answer. Chris.
Most backdoor hole problems can be patched with the application (of) Preperation H.
If that's the case, they chose a dumb place to put it, because the exploit doesn't even work on Windows 2000 and below without some program installed to handle WMF files. From Larry Seltzer's blog (linked from F-Secure):
http://blog.ziffdavis.com/seltzer/archive/2006/01/ 03/39684.aspx
That means that unless Microsoft used some OTHER backdoor to install a handler for it, this backdoor is useless. I suspect this is merely an oversight on their part, and that it just ends up looking bad when you view it from the outside. The only way to know is to see the source code and well, we know how likely that is.
A real backdoor would be something remotely exploitable via the network, as opposed to hiding inside a file or something like that.
"I want to get more into theory, because everything works in theory." -John Cash
There was a time in the history of slashdot when this would have been dissected in terms of a technological perspective. Now we just have anyone who is offended with Gibson attacking him. I have to wonder how many script kiddies are the base of the anti-Gibson press, because regardless of his state of mind, he has contributed more to system security than anyone who is flaming him.
I still have two systems in my house that run Win98 -- because of the applications I need to use. They'll probably disappear in the next two years, but if you look at web logs on a public site, you'll probably see 10% of the browsers are still coming from Win98.
;)
It's not dead yet. You just wish it were.
Uh, no, how about not buying its products?
If you buy a cell phone and decide the interface is sucky, you don't punish the company by suing them. You punish the company by buying another brand next time.
This space intentionally left blank.
A lawsuit is not the answer to everything.
Too true.
This is a case for criminal prosecution. Gibson has uncovered evidence that at face value demonstrates that there has been a conspiracy to defraud Windows users, and possibly to defraud Microsoft Corporation itself. Microsoft's internal documents would identify the coder(s) involved in this deceit, and possibly other conspirators.
I think it is time for the Washington State Attorney General to give this to a Grand Jury. (IANAL, but I think it is the business of a Grand Jury to determine if a crime has been committed in this kind of circumstance).
Let a Grand Jury hear this evidence and decide whether it appears that some person(s) deliberately set out to violate the privacy of Windows users.
This looks weird but it still needs more research, especially given Gibson's somewhat dodgy reputation.
1 as an input value is one of those classic boundary conditions that developers should always specifically test against (but sometimes don't...along with 0, negative numbers, MAX_whatever, etc)...so I'm not convinced that it was just a coding error. If the "magic key" length was something completely random like 6385492, then I would be more suspicious.
C'mon MS...let's see the code!
Code encounters escape character
exit standard processing
encounter SetAbortProc
open thread to communicate with windows print manager
thread attempts to read [length] bytes for sub value, encounters overrun
this is where I'm guessing the real horrendous problem lies. I'm guessing that the original code ignores exceptions while pulling in the sub value, so in this case where code hits an overrun, instead of that sub value getting a few bytes of data, it just graps until . In this case that sub value winds up being the payload.
So there you go, key and payload on an independent thread because of a bad exception handler in a 12 year old block of code.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
Germany, being told all these horror stories about how evil the Nazis actually were, and then coming upon a concentration camp and finding out that these stories were real after all.
The stories Allied soldiers were told about the nazis paled in comparison to what they saw in the camps. Allied propagandists didn't have the imagination to come up with anything like the holocaust.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
posting a URL on /. causes the server to crash?
http://www.imdb.com/name/nm0385296/
Favorite quote: "
However, there are a few very specific ways in which you would write code to deliberately look for that specific value in a specific portion of an operation. These ways can be checked by inspecting a disassembled version of the code. (But do this outside of the US, or the DMCA droids will Use The Force.)
Since WINE shows the same hole and the coders are not the same, it would be my guess that the problem is specifically in a DLL that is used/usable by both. It should also be possible to massage WINE to fire up a disassembler with the correct entry point into the DLL that has the hole, when passing the exploit payload. It might take a while (I suggest getting a few month's supplies in advance), but it should be possible to determine exactly where the exploit is, whether it looks "natural" or not*, and whether that specific section of code is likely called by other graphics routines.
*A "natural" bug could include a series of conditionals and jumps, where the 1 is simply the untested case that falls into random code. An "unnatural" case would be to test specifically for 1 and to jump in a different way than for other cases. (eg: If other cases jump to subroutine, and 1 does a one-way jump OR on return is the sole case that jumps over all error conditions.) If that one case has an abnormal test and an abnormal jump, it would be next to impossible for it to be accidental.
Actually, it might be useful against Microsoft in their appeal over the EU ruling. The EU ruling demands greater transparency of protocols and code, and demands code be uninstallable by someone. The politicians might not care much about the exploit, even if it were deliberate, but I'd be willing to bet the EU's lawyers would. Even if Microsoft as a corporation were innocent (yeah, right), it demonstrates a valid legal concern that cannot be resolved using totally closed, airtight methods.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
The 98 series and NT4 are still in widespread (millions and millions) use. This is called a "problem" then. The auto industry in the US tried to pull this stunt of obsoleting and stopping support for their products in short time frames (sometimes within the SAME model year!) and got legally smacked down for it. Now they are required to provide replacement parts for ten years. Just because normal business productlaws and warranties aren't applied to software-yet, and they certainly should be-doesn't mean it wouldn't be a good idea. Planned obsolesence and forced upgrades might be a spiffy way for some corps to extract a lot more dineros from your wallet, but it doesn't mean it's a good idea for you the consumer/end user...unless you are a pure "caveat emptor" anything-goes styled capitalist. Thankfully, most people see the illogic in that sort of system and that is why we have evolved some consumer protection laws. It is not a perfect solution, but it is light years ahead of legalised snakeoil like it was before. Eventually these sorts of laws will be applied to software,because even the dullest clicker is starting to bingo to the fact that most of this forced upgrade stuff is a cash cow dodge.
Get a clue, troll- if you have a blank admin password, XP prevents ANY remote network access using that account. You are actually more secure with a blank password.
That we know of that is. This has been lurking about in every version of windows since 95, right? And it's taken until now to be brought to light. How many other similar seemingly innocent bits of code in those millions of lines of legacy windows code do similar things? The question is not what can this exploit do on its own, but what can it do in concert with others that may exist? OK, so maybe I'm giving MS or the rogue programmer, or whoever did this (length==1 check and seperate thread would imply it's not a mistake) too much credit, but if whoever did this was very clever they might have implemented a waterfall backdoor of sorts. In other words there's two or three exploits that when used in concert spell pwnage for almost any windows box. I'm willing to bet there's more here that hasn't been found yet. I'm also betting, along with others, that MS will not accpet responsiblity, nor even point the finger at a programmer or contractor/company to take the fall because that would also make them look completely unsecure. How many programmers have contributed to windows code over the years? And MS would be admitting they don't have knowledge of any backdoors those programmers may have introduced? No, more likely as Benanov (583592) suggested, MS will simply try to smear Gibson as someone with a vendetta and/or crackpot/idiot and try to downplay the whole thing as it has been.
This is exactly why closed source is dangerous. Even security through obscurity is useless when the code holders don't know what's in their code. Open source may have similar problems, but at least there's plenty of people looking, and plenty who will be motivated to correct an issue when it's found instead of trying to pretend like it never happened. Which includes the issue of whodunnit and how to stop that from happening again.
-- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
Actually, it's pretty well known that that isn't what happened at all.
Si vis pacem, para bellum
The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
Yeah, right... trust the Chinese government to uphold our privacy rights. Anyone who runs Red Flag Linux voluntarily should have their head examined. I think Gentoo might be a safe bet...
"I like systems, their application excepted", George Sand (French)
You mean the urban legend about an NSA backdoor? There was *never* any evidence of a backdoor, only a registry key named "NSAKEY" and a bunch of paranoid fantasy. Because, you know, if the NSA did have a secret backdoor, they'd make sure is was called NSAKEY, in case they forgot where it was, or something.
Socialism: a lie told by totalitarians and believed by fools.
I'm surprised nobody's trotted out Reflections on Trusting Trust, by Ken Thompson. Not only does this discuss a backdoor, but also a backdoor that can't be found by examining the source code.
Program Intellivision!
I found was that, when I deliberately lied about the size of this record and set the size to one and no other value, and I gave this particular byte sequence that makes no sense for a metafile, then Windows created a thread and jumped into my code, began executing my code.
So, it accidently created a new thread, and directed the new thread to start executing code at the specific position? That's a whole different level of accident.
Oh, and Shimmer, I'll take that 5$.
There is nothing so silly as other peoples traditions, and nothing so sacred as our own.
"Windows 95 is 11 years old. Windows 98 is 8 years old. Windows ME is 6 years old. And Windows NT4 is 9 years old. How many other operating systems offer patches and support product versions for software that is that old?"
I know of at least two. Both Sun and HP still provide support or patches for versions of UNIX System V that are older than Windows 98.
Having read the whole thing, I do think that Steve may be jumping to conclusions a bit too quickly.
I think that we ARE talking about the SETABORTPROC vuln that everyone has been talking about; Steve just finds that the vuln doesn't work quite the same way that he was expecting. It seems that Steve is basing his accusation on the fact that he had to set the length field of the code containing WMF record to 1 (an illegal value) in order to get his code to execute. While this seems odd (and sounds like a "magic value"), there is likely a better explanation. Here's one possibility... The advisory from Secunia at http://secunia.com/advisories/18255/ says that the embedded code executes when any error is detected in parsing the WMF file (not only [or ever?] when canceling printing). Maybe the SETABORTPROC function was originally intended for printing but was overloaded to handle parse error callbacks? Depending on how the parsing code was written, it may treat the invalid length value as such a parsing error, but may have already indexed the the beginning of the code block (since it knows the length of the record header) - it just doesn't know when the code block ends. It can then start executing the code block, even though it is an error in the code block's record that caused the error. I wonder if the code block would execute if the correct length was specified but the NEXT record in the WMF contained a similar error (like an invalid length field).
He may very well be correct that someone has intentionally included this mechanism as a backdoor, but he is being premature in making such claims without first consulting the people who have a lot more experience with this vuln than he does. By the way, MS gives access to their source code to a LOT of outside parties - I'm sure that Steve could have found someone to take a look for him.
I don't mean to make an ad hominem attack (this podcast is actually fairly accurate - just jumps to conclusions), but Steve isn't exactly known for being a respected researcher in the security industry - he's a bit of a poser and sensationalist/alarmist. My gut feel is that Steve is continuing on his sensationalist streak, jumping to conclusions and trying to drum up more excitement. He frequently hypes issues to crazy levels and tries to make himself look like a hero/expert. In fact, he usually offers little insight and often tries to pass off regurgitation (often inaccurate) as original research. Just listen to him in this recording talking about "rolling up his sleeves" and "wrote all my own code", etc. Look up his stuff on nano-probes (http://grc.com/np/np.htm) for some funny stuff. I am a security professional and can tell you that much of his writing is BS and/or hyped/obfuscated wording for technologies and techniques that have been in common usage for years and years before he writes about them. I just can't help but take Steve's claims with a grain of salt.
> but what possible code could be "fallen through" into
7 05-speedscript.html or http://www.atariarchives.org/speedscript/ch3.php ).
> that would set CPU execution *inside* the metafile
Actually, I think it was done for performance releases (remember, existed back in the Win 3.0 days).
Back in ye olden days, there was a common software practise called self modifying code. It was used in some implementations of FORTH, but it was far more popular on systems that had few registers like C64. It was generally used as a way to dramatically speed up code on those slow processors.
Have a look at the popular C64/Atari program SpeedScript (see http://www.atarimagazines.com/compute/gazette/198
The source code it gives an example:
"This module is chiefly concerned with the word processor editing functions.It contains many common subroutines, such as TOPCLR and PRMSG to clear the command line and print messages. It contains the initialization routines and takes care of memory moves (inserts and deletes). A second module, SPEED.2, is responsible for most input/output, including the printer routines. SPEED.1 is the largest file in the linked chain. UMOVE is a high-speed memory move routine. It gets its speed from self-modifying code (the $FFFFs at MOVLOOP are replaced by actual addresses when UMOVE is called). UMOVE is used to move an overlapping range of memory upward (toward location 0), so it is used to delete. Set FROML/FROMH to point to the source area of memory, DESTL/DESTH to point to the destination, and LLEN/HLEN to hold the length of the area being moved."
Apprently WINE does not have this length==1 bug. It has the documented bug, which is "the next 4 bytes of this file are interpreted as a pointer to jump to if you abort printing", which is bad, but not exactly this.
I'm not really buying this guys explanation, however. Software errors can have very strange side effects. Probably the short length causes it to reuse (rather than overwrite) the contents of some buffer as the code pointer, and that buffer just happens to contain a pointer to the next record of the metafile, and the length is also considered an error by some other code and thus triggers an "abort". A length of zero is detected and skipped correctly, while lengths of 3 or 4 overwrite enough of the pointer so that it does not work, making this 1 case the only one.
A black van pulls up to your ISP, several men in black suits emerge and enter the office.
Agent A: We would like to access your network routers.
ISP clerk: Why? Who are you, can I see some papers?
Agent B: [Pulls out a black gun] You don't need to see our papers geek boy.
Agent A: Mr. Smith please, not yet. Our papers are in the mail, do you want to wait for them to arrive? Mr. Smith here hates waiting but if you want to force him to wait I am sure that is fine.
ISP clerk: [looks at Agent B playing with a blackened knife] In the mail you say? Oh that is fine, absolutly let me buzz you in.
Agent A: Thank you for your cooperation citizen. I will just be a minute, Mr Smith here will keep your company so you won't get lonely and feel the need to call anyone. [enters the machine room while Agent B plays with his knife]
Agent A: [returns after a few minutes] We will be leaving now. The goverment thanks you for your cooperation, please refrain from speaking with this about anyone.
The two agents leave and the ISP clerk decides that he needs another job.
Question: How to force a people to retrieve an infect WMF file? Answer: Control the network.
Any computer connected to the network does so because an ISP somewhere routes the calls to the proper adress. Rerouting it is trivial for the right people.
This could be done by the goverment in exactly the same way they redirect phone calls (You never seen a movie where people call phone X only to find themselves talking to phone Y without their knowledge?) OR another reason?
This "bug" is claimed to be new to windows 2000. Roughly the time of all those worms when it became impossible to patch a new windows online BEFORE it was infected. Now imagine the solution if this had gotten really out of control were a worm so nasty was out that EVERY windows machine connected to the net would instantly be infected. How would you patch all those machines? Especially considering how impossible it is to get users to actually PATCH their bloody machines? You could make the argument that what would be needed is somekind of solution were every windows machine connecting to the net would immidiatly be patched.
Cue every ISP being told to redirect their users to a WMF file (every isp is capable of this) and voila, instant enforced patching no matter how much you disabled MS update.
The only problem with exploiting this is for complete outsiders. The goverment has absolutly no problem exploiting this exploit to root your machine.
Is this the explenation? I don't know. I am just guessing and not accepting the easy answer.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
So yes, it's a feature, but it isn't a good feature. It would be a misfeature, but I suggest that good and bad aren't sufficient to fully describe this. You need good, bad, and evil. Thus I suggest a new term for evil features like this: malfeature.
And that one can have "mismalfeatures", though I'd rather make that into "dismalfeatures".
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
It should be noted that although Wine does suffer from a WMF vulnerability as well, the behaviour is not the same one as described here. There is no special case for length==1 in Wine, and no way to have your exploit code right after the length field in the WMF. Wine simply implements the same abort routine that MS's API specifies (and can be argued to be a bad idea in itself, but that is MS's fault not Wine's). The way it can be exploited is completely different, and does not resemble a backdoor in any way.
In fact, the differences between the behaviour of Wine and Windows implies that there is indeed something very unusual about the way Windows handles this special case. Whether it is an intentional problem or just horribly bad coding, that is harder to say.
Actually the changes suggested by the NSA increased the strength of DES rather than decreasing it.
_ legacy_of_d.html
http://www.schneier.com/blog/archives/2004/10/the
I have no
The problem encountered by those reporting on the concentration camps was that in the FIRST world war, everybody got exposed to extreme propaganda depicting all germans as vile creatures. When the exaggerations and lies were brought to light, the public had then learned to seriously doubt such extreme accusations. It could be argued that when the reports from Jan Karski (an eyewitness to the ghetto and concentration camp conditions) were dismissed, it was due to that legacy of doubt in 1943.
The reporting during WWI damaged the credibility of all reporting during WWII.
jcr (53032): Allied propagandists didn't have the imagination to come up with anything like the holocaust.
They most certainly did have the imagination, but they realized that they did not have a willing audience for such accusations. Successful PR cannot be had with seemingly wild claims, especially if the organization has been shown to greatly overexaggerate in the past.
This is not my sig.
Did you not even read your own article? It's not a registry key -- it's a signing key. Furthermore, the key exists and can be replaced with a known key-pair. You can't know it's "paranoid fantasy" or "urban legend" any more than a tinfoil hat can prove it isn't.
Therefore, any objective judgement must be based on the fact it exists, regardless of how it got there. Arguing about whether it was specifically for clandestine NSA activity is pointless, but I don't like the fact these sorts of things exist.
From this page linked from another comment:
The NSA key inside CAPI can be replaced by your own key, and used to sign cryptographic security modules from overseas or unauthorised third parties, unapproved by Microsoft or the NSA. This is exactly what the US government has been trying to prevent. A demonstration "how to do it" program that replaces the NSA key can be found on Cryptonym's [extern] website.
As far as I could tell the only evidence present that the vulnerability really was a backdoor was the fact that the message length needed to be set to *exactly* one in order for the vulnerability to work. Presumably the argument then runs that poor coding wouldn't generate such a specific effect so it must be a delibrately coded back door.
This, however, overlooks many other possibilities and, unless there is other evidence I am unaware of, suggests an ignorance of security vulnerabilities by those making the suggestion. Frequently security vulnerabilities result from data being interpreted in an incorrect fashion as a result of pointer munging or memory collisions. Often some perfectly innocent piece of data (like message length) will get used as an index into some table or mistakenly used in stead of the correct variable in some test and cause incorrect execution or privelege escalation of the user's code.
Even if there is reason to believe this isn't a simple code error like this there are many other explanations other than microsoft or an employees malevolence. For instance imagine this situation:
Initially Metafile execution is designed to execute code in the fashion of the vulnerability with no requirement on the header length. This is perfectly plausible if it was programmed by some new hire without much awareness of security. Hell, it could be a bug introduced to do some sort of debug or get something up and working fast which just got left in the codebase. I'm sure all of us have made a change to our code that screws over security just to do some testing and sometimes people forget about it or get fired.
In any case this security issue in the code base is there and some other parts of windows start relying on it. The security experts eventually notice the issue but by now other parts of windows will break if it gets fixed. Perhaps then the deciscion is made to partially patch the vulnerability but leave a special value for some fields which triggers the old behavior so as not to break the other parts of windows. If this is the case it would explain microsoft's recluctance to patch 95 and other old systems, because a patch would require rewriting some significant part of the system.
Perhaps microsoft even intended to fix the vulnerability but the blah-blah group asks the metafile group to leave in a workaround (the special values) so they can continue to work on the rest of their component. Maybe then the groups are late to the deadline and forget about that issue in their rush. Or perhaps by this time the group members who knew about the workaround have left and no one knows to go back and remove it. Or maybe this is fixed as part of some larger patch applied to the source tree and when it breaks the build late at night and someone calls the metafile team whoever answers doesn't realize its a security issue and backs out the change but forgets to tell the people who made it.
Whether or not I have the details right the point is clear. There are a hundred innocent ways for this sort of vulnerability to arise. It is silly to jump to the conclusion it is an intentional backdoor.
If you liked this thought maybe you would find my blog nice too:
ENOUGH. Gibson was right about raw sockets.
After the relentless pounding and smearing of Gibson, Microsoft quietly disabled the raw sockets code, whatever the hell it was.
Gibson was right. They fixed the problem. He was right, The Reg was wrong.
Jesus, it's like arguing with 20,000 Bill O'Reilly's. Truthiness! Gibson is a maaaaadddmaaaannn!
And since people rarely followup to what they think is truthy, they missed the fact that the only reason the Raw Sockets disaster didn't happen is because MICROSOFT QUIETLY FIXED THE PROBLEM, JUST. LIKE. GIBSON. SAID. THEY. SHOULD.
And as for being a top security professional, something he never claimed to be - he's a developer - what makes you all think that the very best security people at the NSA and Microsoft don't already know all about the exploit, because it's one of the many that they placed there in the first place?
Listen, everyperson, Microsoft has cooperated with Justice, the FBI, the NSA and all the other alphabet boys since the beginning. Windows and Office are monitored at will, you can bet your last god damned dollar. Can you imagine MS refusing to cooperate, especially during a ten year monopoly trial??
(originally posted as AC because I'd moderated; however, even posting as an AC, the code retroactively undid my moderation. Didn't know that would happen. A little warning, Slashcode?)
where you waif that right.
I really think kate moss doesn't have anything to do with this, despite the recent press tizzy.
music lover since 1969
Stranger things have happened. When a German law enforcement agency forced the developers of JAP (Java Anon Proxy) to put a backdoor in it, they put in code like:
And it was an open-source project. Someone later admitted that they were kind of hoping that somebody would notice it, because they didn't think they could legally expose it themselves. Maybe someone at Microsoft didn't think it was right for the NSA to install a back door, and they had a conscience. Wait, what am I saying? This is Microsoft!
If you can read this sig, you're too close.
Never ascribe to malice that which is adequately explained by incompetence. Napoleon Bonaparte
better is the enemy of good
I don't want this to sound like I am too "Pro-Microsoft" (I'm not). If Microsoft intentionally put the vunerability into their product then there must be a reason why. That is the question that I would like someone to answer because it does make all the difference. The question goes straight to motive.
If the vunerability was an accident it was stupid and it needs to be fixed. I don't necessarily buy Gibson's reasoning but, I can see how he got there and that is enough to be troubling to me.
Did some rouge programmer think "This is a cool idea? and against the rules just stuck it in there? I can't believe that Microsoft gives anyone that kind of autonomy. They have to have far better code review policies than that. That is harder for me to believe than anything else!
Did some group think that this backdoor coupled with some other software could be used for some acceptable purpose in the future? Did someone say "Hey, with some code off of the Genuine Advantage web site we can use this to disable some features on computers that are running pirated software. This is only an example but I hope you get my point. I can see how something like this may be considered and discussed. I'm not so sure it would make it past the lawyers though. Maybe it was started, aborted, and this was a trace that was forgotten about and slipped bye? This sounds a little far-fetched but I have seen useless bits of code left behind in other coding projects. I'd buy something like this even though it sounds like something out of a bad movie.
Did the NSA or some other agency approach Microsoft and ask to have something like this put in their code? We know that they have asked for encryption code before so that they could examine it so maybe this kind of idea isn't so strange? An exploit that the government knows about could give them a significant advantage in cyber-war. Frankly, this sounds like a Tom Clancy wannabe's plot for a novel. But it could happen.
Honestly though all of this stuff sounds like conspiracy-theory stuff to me. My guess is that it is more innocent than all of that. I'd guess the exploit is a leaving. Something that got left behind from some piece of code that simply didn't make the final cut.
I'd just like Microsoft to explain themselves this one time. Completely, thouroughly, honestly. Then they can tell us what they will do to ensure it won't happen again.
(Defending Microsoft - only on Slashdot. Ok, so some monkees tapping on a keyboard while the programmer wasn't looking snuck this code in ;)
First of all, Gibson is no bomb thrower, he's uncovered some pretty serious security issues with Microsoft. I'd suggest reading his web site - he's a very thorough person, and doesn't make any wild unsubstantiated, naive, biased claims, like, say, Slashdotters. He's a long time Windows user, not a Mac fan, nor an open-sourcer (at least until recently, for reasons like this)Now, to quote the transcript, curious where you would even be able to make the claim that that this *isn't* a backdoor:
Yeah, he's saying this is a deliberate backdoor. Listen to the article or read the transcript, then think about it a little. Now, he's not saying *what* Microsoft put this in for. Did someone put this in for testing -that's my take, from a programmer perspedctive but .. who the heck knows. That's sorta the problem with proprietary software, we might never know. Buyer beware.
We've blogged about this already providing the background of the bug:
4 17431.aspx
http://blogs.technet.com/msrc/archive/2006/01/13/
I emailed Zonk about it but I don't think he's had a chance to update the posting.
Long story short the idea that this is intentional rests on the premise that only an incorrect value produces the vuln. That is totally wrong, both correct and incorrect values trip the vulnerability. Besides doesn't it seem odd to create a backdoor that would require the user to first visit a website? What, were we going to take out a superbowl ad suggesting people visit www.microsoft.com so we could...uh...what exactly?
S.
http://www.stepto.com
"(originally posted as AC because I'd moderated; however, even posting as an AC, the code retroactively undid my moderation. Didn't know that would happen. A little warning, Slashcode?)"
I believe that's intentional. I think some people get around it by either logging out and posting AC logged out or by using a whole 'nother browser, again, not logged in. Can't really say for sure, I haven't tried it.
I probably should post this AC, since it's pretty far from on-topic for the story, but I prefer to be able to know if someone replies to my posts, even if they're OT.
Information doesn't want to be anthropomorphized anymore.
His conclusions once again are completely incorrect.
4 17431.aspx
See the following post for why this occured.
http://blogs.technet.com/msrc/archive/2006/01/13/