Slashdot Mirror
WMF Flaw not a Backdoor
koro666 writes "In a blog post, Mark Russinovich from SysInternals responded to the allegations made by Steve Gibson labeling the flaw as an intentional backdoor. It seems that the hype was about Steve's discovery that the code would only be executed if the size of the metafile record was deliberately tampered with, which is not the case. The technical details are explained in his post."
Gibson is an idiot with a talent for self-promotion.
The reason no one stumbled onto the WMF thing until now is because Windows is a f*cking big program and, basically, no one spotted it until now.
And already had a link refuting the claim that an invalid record size is necessary: http://blogs.technet.com/msrc/archive/2006/01/13/4 17431.aspx
First of all, that was extremely wordy article to explain the WMF vulnerability, IMHO. But some important points were made:
...given a choice of believing there was malicious intent or poor design behind this implementation, I'll pick poor design.
if an attacker can get your computer to execute their WMF file through Internet Explorer or Outlook, for example, they can make your system execute arbitrary Windows commands, including downloading malicious applications and launching them.
My belief is that Microsoft developers decided to implement as much as the GDI function-set as possible.
In any case, its not clear that the developers envisioned applications creating on-disk metafiles with abort procedures.
Either way, it is still hard to tell why it was designed that way in the first place, maybe one of these links can tell us?
He who knows best knows how little he knows. - Thomas Jefferson
Conspiracy theories don't need reasons backing them up
You've got a good point here and it describes the other side of of Steve Gibson. After reading that site, you'll understand his stories are mostly made of popular speak or disinformation, rather then scientifical information.
So while you may admire him for his charisma, you shouldn't for his expertise. Would you e-mail him about an error, he'll silently correct it as if he'd always known it. You won't find him at an official security conference, but in the eyes of his fanbase he remains a god. I can image people are felling for his stories through, his stories make you get excited easily.
The best way to accelerate a windows server is by 9.81 m/s2
"how on earth could it have survived five years under the new security aware, code auditting regime that we supposedly have at Microsoft?"
It takes time to look trough 35 milion (Windows 2000) - 40 milion (Windows XP) lines of code...even for a big company.
Slightly off topic but I was plesantly supprised to see that in Visual Studio 2005 (probably where there already in VS 2003 but I've never used that one) most of the offending runtime functions (memcpy, strcpy etc) have been marked deprecated and replaced with more secure functions checking for buffer overflow.
Many other functions such as to stop hijacking of the stack pointer etc have also been implemented.
http://www.intellipool.se/ - Intellipool Network Monitor
Steve Gibson gave his final word on this matter in a thisweekintech podcast interview: http://thisweekintech.com/sn23 Briefly, someone at Microsoft had the bright idea that one should be able to run code inside an image, for whatever reason. This left a backdoor, probably unintentional. Mr. Gibson regrets that his use of the term "backdoor" implied malice to some people. This was not his intention.
Either way, it is still hard to tell why it was designed that way in the first place, maybe one of these links can tell us?
It's quite simple:
WMF is used under the hood in lots of places in GDI. Any time GDI passes a bunch o' commands from one place to another, you'll find WMF. And as a result, WMF encapsulates almost everything you can do with GDI.
SetAbortProc is used to allow an app to display a custom "Printing Page xxx of xxx... [Cancel]" dialog to be displayed on Windows 2.0, 3.0 and 3.1, all of which are cooperatively multitasking and so need to drain their message queues on a regular basis - which they do every time that AbortProc is called.
There are even examples of this exact behavior on MSDN. It's still semi-useful under later versions of windows to be able to do this, and it's good for backwards compatibility, so it stuck around.
Coming soon - pyrogyra
Another thing this points out is just how much Microsoft resists open standards. As far as I can tell, the chief reason WMF was and is still widely supported in Windows is that it effectively emulates vector graphics. How many opportunities did Microsoft turn down to put in SVG, PDF, or similar support?
Conspiracy theories don't need reasons backing them up.
There is no way to disagree with that, if one accepts the anthropomorphism. s/theories/theorists/ would make this a stronger statement.
But whatever... At the time this particular exploit was introduced into Windows, there was definitely a conspiracy within Microsoft that involved at the very least mucking about with the documentation of the Windows API.
One of the reasons that Win30 and Win31 succeeded in capturing the market so quickly was because MS made the Windows API available to application competitors, notably Quattro Pro, then from Borland, and WordPerfect, then from WordPerfect. MS presented Windows as being a Good Thing for the entire software industry and got a lot of needed buy-in on that basis. During the development process for Win31, it was highly significant to the marketplace that Borland, WordPerfect, and other industry leaders of DOS software were writing native Windows versions of their applications, and urging their customers to upgrade from the DOS versions to the Windows versions. (The DOS versions ran better under OS/2 than they did under Windows since OS/2 had preemptive multitasking; moving the market to Windows versions of these products was critical to MS if Windows with its cooperative multitasking was going to survive the OS/2 challenge).
But MS wasn't playing fair: when Win31 came out, Excel and Word danced rings around Quattro Pro and WordPerfect. And when people started to look at how MS was able to get such better performance out of the same API, they found that the MS application coders were not using the same API at all: they were relying on undocumented features and features that were documented in misleading ways.
This and similar shenanigans from MS are matters of historic record, vetted by the courts. There can be no question that MS is a company that has used conspiracy tactics to gain market share. There can be no question that MS was doing this at the time it implemented the WMF structure under Windows.
Where does the WMF vulnerability fit in, in light of this background? Obviously it was not written initially as an internet backdoor.
But consider an MS application that used a trademarked WMF graphic on its splash screen. That graphic could run a small bit of code that would unlock hidden capabilities in the Windows API. For example, it could set DEBUG=TRUE in some low level part of the task scheduler, turning off chunks of code that other applications would have to wade through, and thus making the MS app so much more efficient in a way that would be undetectable even on dissassembling the code. There is no technical reason why the WMF vulnerability could not have been used in this way. There is no question that the MS corporate culture of that time would have celebrated and rewarded this kind of cleverness. In view of this background, and the fact that this vulnerability managed to survive the intense scrutiny of several major code revisions, the only reasonable assumption is that the WMF vulnerability is a deliberate backdoor and has been kept around because MS has thought it would be useful to them.
MS has always been a company that has put more value on cleverness than on ethics.
So the questions now are what has MS used this backdoor for, and what has been their plans for future use? Anyone who has used a Windows machine recently should be wondering what information MS has gathered from them and what MS is doing with that information-- the ability to swap a keyboard logger in and out as different graphics or icons are presented while an application is running is a disturbing thought.
I continue to think that there is cause here to consider a Grand Jury investigation. I don't see any other way in which MS employees could demonstrate that their unethical business practices haven't transgressed over the fine line and become criminal behaviors.