Microsoft Responds to WMF Vulnerability

← Back to Stories (view on slashdot.org)

Microsoft Responds to WMF Vulnerability

Posted by Zonk on Monday January 16, 2006 @12:34AM from the not-intentional dept.

beuges writes "In an entry on the Microsoft Security Response Center Blog, Stephen Toulouse explains exactly how the WMF flaw could be triggered. BetaNews has an overview of the company's response." From the BetaNews article: "This code exists on every version of Windows since version 3.0, security firms have said. When this functionality was introduced, Toulouse said the security landscape differed from what it is now and metafile records were completely trusted by the operating system. Gibson claimed that the flaw could be exploited only by using a byte size of 1 in the metafile record, which Toulouse says is incorrect. He surmised that Gibson's tests had the offending function as the last entry in the metafile, which caused only incorrect sizes to trigger the flaw." We've previous reported on the backdoor claim.

17 of 221 comments (clear)

Min score:

Reason:

Sort:

Every version since 3.0? by Captain_Thunder · 2006-01-16 00:37 · Score: 5, Insightful

That's quite a long time to have a flaw in your OS. Maybe they should focus more on security rather than a fancy new AeroGlass interface.

--
My journal: Clicky. Read it because it
1. Re:Every version since 3.0? by HugePedlar · 2006-01-16 00:46 · Score: 4, Insightful
  
  Indeed. Sometimes, late at night, I worry about legacy code. Are we ever going to receive a brand new OS from Microsoft, or will each release merely be an upgrade from older versions?
  
  I understand the importance of being able to run old programs, but surely Vista could have included a virtual machine or something for XP compatibility - is it really that hard to create a new OS from scratch with proper security etc. as a starting point, not an add-on? Yes it would be a mammoth task, but MS is pretty big, you know.
  
  I don't know - when you have vulnerable code from Windows 3.1 in your latest release, don't you want to just cut the cord and start again?
  
  --
  Argh.
2. Re:Every version since 3.0? by Stan+Vassilev · 2006-01-16 00:46 · Score: 1, Insightful
  
  "That's quite a long time to have a flaw in your OS. Maybe they should focus more on security rather than a fancy new AeroGlass interface."
  
  Probably you've not noticed but they are focusing on both just fine :)
  The WMF flaw was patched ahead of schedule and it works fine. In the meantime Vista has whole new ways of battling malware.
  
  If you believe delving through millions of code lines written 30 years ago to look for potential holes is what they should concentrate on, they wouldn't be in business by now.
  
  BTW accept the AuroGlass as a knee jerk reaction by the OSX interface. Bill Gates has always knew that when you're on top, the only way is down. They'd rather catch up than do nothing and hope it's some fad that'll pass.
  
  The benefit is for everyone: multithreaded GUI, more responsive, faster, better HW accelerated via DX, and last but not least, it looks pretty nice.
3. Re:Every version since 3.0? by CyricZ · 2006-01-16 01:03 · Score: 1, Insightful
  
  Rewriting software from scratch is almost always a bad idea. This "virtual machine" you suggest may very well introduce bugs worse than this WMF vulnerability.
  
  At least the old code, even if fairly poor security-wise, has in many cases had years of testing. It has been modified to handle obscure situations that may not even be remotely considered today. Not only could such a rewrite lead to a vast decrease in compatibility, but it could also lead to a vast increase in insecurity. It could very well cause the problem it is meant to solve.
  
  --
  Cyric Zndovzny at your service.
4. Re:Every version since 3.0? by CyricZ · 2006-01-16 01:07 · Score: 2, Insightful
  
  The OpenBSD crew was able to perform a security audit of their fairly large codebase, which may very well consist of code that predates anything Microsoft is using today. And remember, they don't have anywhere near the resources that a massive corporation like Microsoft has.
  
  What was the end result of their efforts? An extremely secure operating system. Now, Microsoft probably wouldn't need to take it to that extreme. But even putting out a quarter of the effort of the OpenBSD team could lead to security issues being caught before they are exploited.
  
  --
  Cyric Zndovzny at your service.
5. Re:Every version since 3.0? by CastrTroy · 2006-01-16 01:38 · Score: 4, Insightful
  
  Actually, they didn't actually rewrite from scratch. They used BSD, I think. The problem with this, is that if Microsoft chooses something too close to Unix, then it will be easier for people to move away from their operating system. The reason that many people don't switch now, is that moving is very abrupt, and you not only have to change the OS, but many of the applications at the same time. If the OS was unix based, the move could be much more gradual. The funny thing I remember is that the microsoft research lab created an OS that was based on security from the bottom up, and it still ran faster than windows XP. Which I realize isn't that hard, since it's so slow, but shows that you can build a secure OS, that still performs well.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
6. Re:Every version since 3.0? by poot_rootbeer · 2006-01-16 05:16 · Score: 4, Insightful
  
  Are we ever going to receive a brand new OS from Microsoft, or will each release merely be an upgrade from older versions?
  
  Did Windows NT 3.1 count, or is it disqualified for inheriting code from VMS and OS/2?
  
  Linux can trace its kernel lineage back to 1991, and many of its utilities are much much older than that. Are we ever going to receive a brand new OS from Torvalds?
  
  What's the incentive for anyone to re-invent an operating system from scratch? A desire to create the next BeOS? There's too much collected knowledge in the decades' worth of "legacy" OS code that would be foolish to throw out.
"Landscape has changed" by jav1231 · 2006-01-16 01:01 · Score: 5, Insightful

I think maybe Windows' landscape has changed but security wasn't so passe' to other software makers. I wonder how much arbitrary code could have been executed by UNIX or even Netware in those days? And I leave open the possibility that it could have. In the long run, this was left uncheck and maybe forgotten for what, 12-15 years now? And more importantly, was brought right into the server code from the desktop code.
I think therein lies the fundamental problem with Windows and why SA's warned for years about Microsoft's assbackwards approach to security. Windows is at it's heart a desktop OS and as such has a reverse understanding of security.
Re:Ah those were the days. by maxwell+demon · 2006-01-16 01:03 · Score: 3, Insightful

everyone used telnet and ftp

I think at that time, the typical protocols for those tasks on a PC were "walk to the computer you want to work on" and "floppy disk". Internet just wasn't that common outside academic institutions.
And Windows 3.x was single-user anyway (i.e. as soon as you had physical access to a computer, you didn't need to play any tricks with WMF files, you just could put your code in a .COM or .EXE and start it directly).

--
The Tao of math: The numbers you can count are not the real numbers.
Re:Inverse security evolution by BoneFlower · 2006-01-16 01:10 · Score: 3, Insightful

My guess is they redid the printing system, and didn't fully check what other windows systems were affected.
Re:Why does Windows have so much legacy? by CyricZ · 2006-01-16 01:12 · Score: 1, Insightful

Remaining in the PC world for the moment, let's look at SCO OpenServer. It still has compatibility with Xenix programs written in the early 1980s, before Windows 1.0 was even conceived, let alone released. Then there are mainframe systems today offering compatibility with software going back to the late 1960s.

Legacy support isn't the problem. There are many software products offering legacy support far beyond that of Windows that work just fine, with a relatively good degree of security.

The problem would be poorly written code building upon poorly written code, year after year, decade after decade. That appears to be the case with much of Microsoft's software, save the last five or six years.

--
Cyric Zndovzny at your service.
Illegal byte size in the metafile record by Thorwak · 2006-01-16 01:14 · Score: 0, Insightful

Gibson claimed that the flaw could be exploited only by using a byte size of 1 in the metafile record, which Toulouse says is incorrect.

Yeah, so? Most bugs of this kind is triggered by passing "broken" data.

--
Connection closed by foreign host.
1. Re:Illegal byte size in the metafile record by Jerry+Coffin · 2006-01-16 04:32 · Score: 3, Insightful
  
  Yeah, so? Most bugs of this kind is triggered by passing "broken" data.
  
  It's important (from MS' viewpoint) because Gibson used the incorrect data to support a claim that this was an intentional backdoor. Given Gibson's general modus operandi, I'm sure the data being entirely incorrect won't slow him down a bit, but at least anybody with a somewhat unclouded view of reality realizes he was full of nonsense.
  While you can trigger this with broken data, those who RTFA realize that the broken data is entirely incidental.
  
  --
  The universe is a figment of its own imagination.
Re:Inverse security evolution by cnettel · 2006-01-16 01:28 · Score: 3, Insightful

Or even that printing under NT has used different drivers and different stuff in general than 9x. 95 and classic NT device drivers are REALLY different, although 98 and later supported WDM drivers by emulating a (small) subset of the NT kernel.
Put another way: In NT 4 and later, GDI calls are translated to kernel service calls, in 32-bit. In 9x, it's thunking to a globally mapped 16-bit DLL...
Why XP/2000 and not 9X? by KevinColyer · 2006-01-16 01:36 · Score: 3, Insightful

I wonder whether the reason the wmf vulnerability was fixed in 9X and then broken in XP/2000 has to do with the way the NT stream was created. If I understand it correctly the initially diverged from Win 3.0. Perhaps the code was "fixed" in 9X but they reverted to the NT core code as the development went on into 2000/XP. I hear a lot about the compartmentalisation at MS.

I am inclined to believe in incompetence before conspiracy theories... (although incompetence does not leave me all warm and glowy)
Re:MS shooting itself in the foot? by XMilkProject · 2006-01-16 03:23 · Score: 3, Insightful

Get over yourself.

And for what it's worth, I don't consider it a bug, or a failure, or anything else like that. It's a feature that was implemented in the format. You should always be careful when running formats that can contain executable code, just as you would with a .exe or .scr file.

From MSDN:
A metafile contains records that describe a sequence of application programming interface (API) calls. Metafiles can be recorded (constructed) and played back (displayed).

A metafile is not a 'graphics format' exactly. It is rather a macro of API calls. Obviously one would suspect that such a thing could be used to execute malicious code.

--
Big ones, small ones, some as big as yer 'ead!
Give 'em a twist, a flick o' the wrist...
Re:Odd thing to introduce... by Kiaser+Zohsay · 2006-01-16 03:41 · Score: 2, Insightful

The Toulouse blog basically proves, as if it weren't obvious, that Gibson is full of crap.

The Toulouse blog states that Gibson is full of crap, without providing any proof. He says the flaw can be triggered with a correct record length, but does not state anything about what conditions might be the trigger. Not that I would expect him to provide those details, but that's what it would take to prove Gibson wrong. Toulouse's response amounts to "Pay no attention to the man behind the curtain" or "These are not the droids you're looking for".

I suppose the proof is in a briefcase, along with all of the UNIX code that IBM copied into Linux.

--
I am not your blowing wind, I am the lightning.