Slashdot Log In
WMF Vulnerability is an Intentional Backdoor?
Posted by
Zonk
on Fri Jan 13, 2006 12:36 PM
from the take-with-a-grain-of-salt dept.
from the take-with-a-grain-of-salt dept.
An anonymous reader writes "Steve Gibson alleges that the WMF vulnerability in Windows was neither a bug, nor a feature designed without security in mind, but was actually an intentionally placed backdoor. In a more detailed explanation, Gibson explains that the way SetAbortProc works in metafiles does not bear even the slightest resemblance to the way it works when used by a program while printing. Based on the information presented, it really does look like an intentional backdoor." There's a transcript available of the 'Security Now!' podcast where Gibson discusses this.
This discussion has been archived.
No new comments can be posted.
WMF Vulnerability is an Intentional Backdoor?
|
Log In/Create an Account
| Top
| 788 comments
(Spill at 50!) | Index Only
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
|
2
(1)
|
2
Re:Another? (Score:5, Funny)
(http://www.chemicalwonderland.net/ | Last Journal: Monday September 03, @10:34PM)
*looks at clipboard*
Ok Goatse linkers, thats your cue.
Re:Another? (Score:5, Informative)
(http://slashdot.org/)
Re:Another? (Score:5, Funny)
(Last Journal: Tuesday June 28 2005, @12:57PM)
Reflections on Trusting Trust (Score:5, Interesting)
(http://sdk-1600.spatula-city.org/ | Last Journal: Monday October 01, @05:36PM)
Waif (Score:4, Funny)
(http://djdavetrouble.com/ | Last Journal: Thursday September 01 2005, @10:34PM)
I really think kate moss doesn't have anything to do with this, despite the recent press tizzy.
I would not be suprised at all. (Score:5, Interesting)
(http://altgrendel.exit0.us/)
Its happened before and it will happen again. Whether this is the case remains to be seen.
Re:I would not be suprised at all. (Score:5, Insightful)
This seems to be only useful if MS itself wanted to use it. Use your imagination as to what they'd do with it. I can think of all kinds of things.
Re:I would not be suprised at all. (Score:4, Insightful)
(http://slashdot.org/)
Re:I would not be suprised at all. (Score:5, Informative)
(http://www.game-point.net/ | Last Journal: Monday November 14 2005, @09:19AM)
Eh? I just downloaded it, it's linked to from here [grc.com].
Re:I would not be suprised at all. (Score:5, Funny)
I presume you are willing to show the details of your extensive research that determined this factoid....
Re:I would not be suprised at all. (Score:5, Insightful)
(http://rav.realitybytes.tk/ | Last Journal: Friday December 23 2005, @12:53AM)
I can't personally think of any kind of official reason why Microsoft would want to shove code onto Windows machines just from visiting their website. They've got tons of other ways of doing this.
Re:I would not be suprised at all. (Score:5, Insightful)
- How about a totally stupid idea that MS thought was good?
I mean MS has a long history of ignoring security for usability, lock in and whatnot. WMF dates back to close to 10 years, back when MS really didn't give a damn about security. Even after a the big Gates propaganda email and Trusted Computing Initiative and all the hoopla, XP SP2 allows blank passwords for administrators, the user created during installation is an administrator, again if password is blank no one gives a shit. Remote registry is on by default. RPC on by default. Administrative shares are on by default. Not to mention a plethora of completely useless services.
MS just doesn't understand security. This WMF example is nothing different. It's some ancient code that never got looked at. Add to that the fact everyone and his mother is root, AND that the OS is a big bowl of spaghetti (hi2u IE deep in kernel), you get another attack vector vs Windows systems.
Did someone maliciously implement this WMF "feature"? I doubt it. It looks like another regular MS security hole that shows that MS has no clue about security.
Re:blank admin password (Score:4, Insightful)
(http://slashdot.org/~tpgp)
If you're going to accuse someone of trolling, you want to be pretty sure about your facts.
if you have a blank admin password, XP prevents ANY remote network access using that account.
Hmmmn, thats an interesting band-aid.
You are actually more secure with a blank password.
Really? More secure with a blank password? I doubt it.
Would make privilige escalation pretty damn easy after you'd hacked a user account.
And it makes all that least priviliged user stuff that MS goes on about a little irrelevant too.
Re:blank admin password (Score:4, Informative)
Re:I would not be suprised at all. (Score:4, Informative)
(http://slashdot.org/)
According to the docs, SetAbortProc should provide a pointer to callback function that is called when a print is aborted. This in itself sounds like a security hole, but it could only be fired if the print is canceled, and then it can only run a preexisting callback method, not arbitary code.
According to Gibson, if you call SetAbortProc with a special key, it will instantly start running arbitary code from within the WMF. No cancelled print or preexisting method calls are requried.
If Gibson is correct, this bug is much different then how it looks on the surface.
Re:I would not be suprised at all. (Score:4, Informative)
NSA (Score:5, Funny)
Government backdoor? (Score:5, Interesting)
If this isn't a glaring example on why you should support open source, I don't know what is....
Re:Government backdoor? (Score:5, Interesting)
(Last Journal: Sunday November 06 2005, @05:24PM)
The function in question has existed for a long time. The exploit is in Windows 2000 and more recent. From the transcript:
Re:Government backdoor? (Score:4, Informative)
(http://slashdot.org/)
Re:Government backdoor? (Score:5, Informative)
http://www.schneier.com/crypto-gram-9909.html#NSA
The fact is, the majority of the people making claims about this don't even understand what it does. The majority of the speculation isn't possible. It doesn't give anyone (Not even Microsoft, much less the NSA) a backdoor into your computer.
Re:Government backdoor? (Score:5, Informative)
(http://www.metatrontech.com/ | Last Journal: Sunday October 21, @01:39PM)
The NSA is (in theory at least) legally forbidden to spy on Americans. Their main mission involves cryptoanalysis (codebreaking) and signal intelligence. So they spend a lot of time in foreign countries evesdropping on cell phone calls and the like. They have also been very much involved in the development of computerized cryptography (witness their role in the creation of DES). In this latter case, they have probably attempted to balance their interests in codebreaking with the legitimate interests in algorythmically secure encryption (i.e. make DES algorythmically secure, but shorten the key so we can break it if we really have to).
The rise of independant professional cryptography organizations, like RSA, Inc. has created a very serious problem for the NSA in this regard. In general, most of these new systems use variable length keys and are highly peer reviewed for attack potential. So the NSA cannot count on being able to brute force decrypt a document within a reasonable timeframe in the event of a clear and present need to decrypt the information.
Therefore, I believe that most of these are there to allow the NSA to bypass the encryption algorythms in Windows and allow them to access the information without having to attack the encryption. This would make reasonable sense given the NSA history.
Now, I see *no* reason to suppose that the NSA has anything to do with the WMF exploit. Instead, I suggest that this is likely to be a backdoor either put in place by a developer, at the request of a partner (such as the RIAA), etc. This backdoor has *nothing* to do with anything the NSA typically gets involved in, so I think even the most paranoid analysis can rule them out. Instead, this is just a strange attempt to allow the Media Player to be subverted and used in what ever way an attacker decides.
Now, Microsoft's response to this has been inadequate (they only grudgingly developed a patch), which suggests that this backdoor had the blessing of the company, much like the response to the Sony DRM rootkit which was undetected by agreement with First4Internet. Lest I appear to be too hard on Microsoft, I found Symantec's response ("Oh, we will start removing it" when First4Internet claims they were working with Symantec to ensure that it would not be removed) to be far less trustworthy.
Anyway, there is enough doubt in my mind about Microsoft's goodwill on these areas that I would not suggest running Windows in any environment that absolutely requires security. The system has fundamental design flaws from a security point of view, and these problems continue to underscore either serious development issues at Microsoft or an attitude that the security of the customer is not really that important.
Re:You're on (Score:5, Informative)
(http://www.cnycomputerservice.com/)
Re:Unparalleled BS from MS. (Score:5, Insightful)
It's nothing like that actually, you are comparing apples to supernovas.
~S
Re:Unparalleled BS from MS. (Score:5, Insightful)
(http://www.asstastic.org/)
Re:Unparalleled BS from MS. (Score:4, Insightful)
(Last Journal: Sunday November 05 2006, @05:31AM)
The stories Allied soldiers were told about the nazis paled in comparison to what they saw in the camps. Allied propagandists didn't have the imagination to come up with anything like the holocaust.
-jcr
(OT) Re:Unparalleled BS from MS. (Score:4, Interesting)
The reporting during WWI damaged the credibility of all reporting during WWII.
jcr (53032): Allied propagandists didn't have the imagination to come up with anything like the holocaust.
They most certainly did have the imagination, but they realized that they did not have a willing audience for such accusations. Successful PR cannot be had with seemingly wild claims, especially if the organization has been shown to greatly overexaggerate in the past.
Length==1 (Score:5, Insightful)
Re:Length==1 (Score:4, Insightful)
(http://www.livejournal.com/users/anarchetic/)
Re:Length==1 (Score:4, Interesting)
(http://www.bernsrite.com/ | Last Journal: Monday June 27 2005, @11:36PM)
"Never ascribe to malice that which is adequately explained by incompetence."
But wait, there's more... (Score:5, Interesting)
(http://slashdot.org/ | Last Journal: Tuesday May 17 2005, @09:12AM)
I found was that, when I deliberately lied about the size of this record and set the size to one and no other value, and I gave this particular byte sequence that makes no sense for a metafile, then Windows created a thread and jumped into my code, began executing my code.
So, it accidently created a new thread, and directed the new thread to start executing code at the specific position? That's a whole different level of accident.
Oh, and Shimmer, I'll take that 5$.
Re:Length==1 (Score:5, Insightful)
(Last Journal: Tuesday February 25 2003, @08:33PM)
I can see this being a programmer supplied backdoor, like a hook for easter eggs, but based on the other security work done in MS, anything that can be gotten into that is there on purpose is locked up pretty tight to any casual attempts.
Re:Length==1 (Score:5, Interesting)
But I still have a hard time seeing how code would *accidentally* behave like this. An invalid length should abort processing right off the bad, for one thing; "falling through" might be an explanation, but what possible code could be "fallen through" into that would set CPU execution *inside* the metafile -- moreover, would set CPU execution to the *next byte* after the erroneous header block. That's awfully convenient; if it were a mistake, I'd expect code execution to begin at some other random location, probably influenced by whatever happened to be in the register or some temporary pointer variable at the time. But the very next byte? That's too insanely convenient -- you get to provide your key *and* your payload in the *same* place.
You could argue that buffer overrun exploits do the same thing, but the idea of the buffer overflow is to specifically overwrite the function-return pointer to *make* it point at your code. In this case, the exploit doesn't have to specify the location of the code to execute, Windows does that for you. Too convenient.
Thread Creation (Score:5, Insightful)
I don't think it's surprising that a piece of code might behave in an odd way if it's given invalid input, i.e., if a buffer length is wrong.
I think the real giveaway here is that Windows creates a new thread when presented with this magic length. That's like rolling out the red carpet for the attacking Huns. I don't think the average buffer overflow type exploit gets it's own thread or process.
And of course it's still possible that it was all a mistake. The C language can be used to write some extremely tangled code, if one is so inclined. Something like an incorrectly used setjmp/longjmp could have effects like this.
Re:Thread Creation (Score:5, Insightful)
Again, agreed. But again, the catch is in the particular kind of odd behavior. If I were writing that code and it hit an invalid length, I'd probably abort processing of the whole file, presuming data corruption. Failing that I'd just skip over the flawed block and proceed with processing the next one. In that case, I could imagine not checking the length very carefully and just going to " + " to process the next block -- this would produce the observed "next byte" pointer.
The problem is in the semantics: I said *process* the next block, not *execute* it. If anything this would just cascade into more error cases, since the data that was expected to be the "next block" would almost definitely also have a malformed header (since it wasn't intended to be a header at all), etc.
So, I guess you're right - the tipoff is still that actual code is executed without having to be specifically pointed to (i.e. buffer overrun), and that it's executed in its own thread, rather than taking over the processing thread that was interpreting the metafile in the first place.
Re:Thread Creation (Score:4, Insightful)
But that's only an issue if the WMF-processing code doesn't create a new thread in order to call the subroutine in the valid case. In reality you'd almost certainly want the callback to happen in its own thread, rather than to allow anyone to run abitrary code in the same thread as the print server.
Think about it like a programmer (Score:5, Interesting)
(http://www.ringdev.com/ | Last Journal: Tuesday May 08 2007, @01:50PM)
exit standard processing
encounter SetAbortProc
open thread to communicate with windows print manager
thread attempts to read [length] bytes for sub value, encounters overrun
this is where I'm guessing the real horrendous problem lies. I'm guessing that the original code ignores exceptions while pulling in the sub value, so in this case where code hits an overrun, instead of that sub value getting a few bytes of data, it just graps until . In this case that sub value winds up being the payload.
So there you go, key and payload on an independent thread because of a bad exception handler in a 12 year old block of code.
-Rick
Re:Length==1 (Score:5, Informative)
In this case, the smallest possible "length" value is 6, because the header itself takes 6 bytes, so even if the unit had no actual data, the length field itself and the unit's command code is a minimum of 6 bytes.
To trigger the exploit, the length must be set to 1. Not 2, 3, 0, or some other equally invalid value, but only the value "1". Any other value has no effect at all.
Re:Length==1 (Score:4, Funny)
(http://thelifeofbryan.multiply.com/ | Last Journal: Tuesday February 20 2007, @12:20AM)
And the counting of the length shall be ONE!
Sorry, couldn’t resist.
Re:Length==1 (Score:5, Informative)
It might have been convincing if it were true. The vulnerability checker [hexblog.com] from Ilfak Guilfanov's site uses length==17 to trigger the exploit (Look in the wmfhdr.wmf file in the source zip. The length is a little-endian DWORD at offset 0x12.)
The Metasploit module [metasploit.com] uses a length of 4. Check out the following snippet:
#
# StandardMetaRecord - Escape()
#
pack('Vvv',
# DWORD Size;
4,
# WORD Function;
int(rand(256) << 8) + 0x26,
# WORD Parameters[];
9,
). $shellcode .
I think Steve Gibson is confused.
do you mean (Score:4, Interesting)
This Steve Gibson [grcsucks.com] ?, yeah he is a real security expert, along with his podcast boy wonder we have much to be afraid of
Ah, nice Ad-Hominem attack in there... (Score:5, Insightful)
(http://slashdot.org/~Spy+der+Mann/journal/ | Last Journal: Saturday November 10, @01:50AM)
IMHO your "debunking steve gibson" site is nothing but a smokescreen to divert the attention from Microsoft's vulnerabilities and backdoors.
Re:Ah, nice Ad-Hominem attack in there... (Score:4, Informative)
In my not so humble opinion, you don't know what you are talking about. Go read some of the links in that site, and you'll see that Steve Gibson is one of the many "security experts" that have no clue but gives dangerous and very wrong "solutions".
Re:Ah, nice Ad-Hominem attack in there... (Score:5, Insightful)
In my ever-so-humble opinion you completely missed the point of the parent. The reputation, sanity, motives, and anything else dealing with the person making the claim has nothing to do with the validity of the claim itself.
In this particular instance, there is at least some apparent merit to the idea that this was an intentional backdoor, and that merit would be there regardless of who points it out.
If you want to discredit the idea that this is an intentional backdoor (of which I am far from convinced), then you should attack the argument directly, not the man making it.
Re:And this door leads to... (Score:5, Insightful)
Re:And this door leads to... (Score:4, Insightful)
(http://www.dreamhost.com/r.cgi?39901 | Last Journal: Tuesday August 03 2004, @11:07PM)
Since profit is all a corporation cares about, suing away those profits is the only way to punish it.
Re:And this door leads to... (Score:4, Insightful)
(Last Journal: Friday October 26, @01:12AM)
A lawsuit is not the answer to everything.
Too true.
This is a case for criminal prosecution. Gibson has uncovered evidence that at face value demonstrates that there has been a conspiracy to defraud Windows users, and possibly to defraud Microsoft Corporation itself. Microsoft's internal documents would identify the coder(s) involved in this deceit, and possibly other conspirators.
I think it is time for the Washington State Attorney General to give this to a Grand Jury. (IANAL, but I think it is the business of a Grand Jury to determine if a crime has been committed in this kind of circumstance).
Let a Grand Jury hear this evidence and decide whether it appears that some person(s) deliberately set out to violate the privacy of Windows users.
SetAbortProc (Score:3, Informative)
Possible uses? (Score:4, Interesting)
Re:Possible uses? (Score:5, Interesting)
Bugs don't have to be well-coded (Score:3, Interesting)
(http://www.sdonag.plus.com/ | Last Journal: Wednesday June 07 2006, @04:05AM)
Lawsuit time (Score:5, Interesting)
(http://www.animats.com)
It's possible to get to the bottom of this by legal means.
Based on that information (Score:3, Interesting)
(http://www.informationr.us/ | Last Journal: Monday November 05, @09:38AM)
Magic Lantern? (Score:5, Interesting)
The notion of a backdoor in Windows isn't new. Perhaps the WMF vulnerability was one of the vectors used by Magic Lantern [wired.com], which was the code word for at least one of the FBI's keylogger programs. Magic Lantern was notable in that antivirus providers participated with the Feebs in a gentleman's agreement to not look for it.
It's certainly a dumb enough solution that the IT-challenged FBI might go for it.
On relative dumbness and smartness, I'd expect smart spies, namely those who work for two other notable three-letter-agencies, to use somewhat more interesting techniques. If it were me, I'd take advantage of equipment I had in place at critical infrastructure points to conduct MITM attacks between a PC and Windows Update servers, in order to transparently install my spookware on only those machines that specifically identify themselves - by means of GUID or whatever other stuff I could glean from the Windows Genuine Advantage and other DRM-related bitstreams - as belonging to my target population.
Paranoid? If you're not paranoid, you're not thinking far enough ahead.
Steve Gibson is a crackpot (Score:3, Informative)
The guy is a massive alarmist and I wouldn't take anything he says seriously. He loves to cry about the end of the digital world type scenarios, perhaps because he really believes it, or perhaps because it gets him more business.
Re:Steve Gibson is a crackpot (Score:5, Interesting)
(http://slashdot.org/~Moby%20Cock)
Re:Steve Gibson is a crackpot (Score:5, Informative)
(http://www.tigershaunt.com/)
Re:Steve Gibson is a crackpot (Score:5, Informative)
Interesting evidence (Score:4, Insightful)
(http://www.developerx.com/)
It's a straightforward way to add a backdoor that will bypass firewalls, etc. It can be triggered by a browsed page, email, etc. It's better than gif/jpeg encoding because those are more "platform independent." and the payload would be more likely noticed by a 3rd party decoder.
On the other hand, isn't this flagged as an attempt to execute code on a data page?
Also, if it were official, doesn't MS have easier ways into a general box - say through security updates, or even the entire existing code base?
Please not Gibson again... (Score:3, Informative)
http://www.grcsucks.com/ [grcsucks.com]
Re:Please not Gibson again... (Score:5, Insightful)
What about wine? (Score:3, Interesting)
http://it.slashdot.org/article.pl?sid=06/01/06/20
Yeah... (Score:5, Informative)
(http://slashdot.org/)
S.G. is a flaming idiot, he looks for (and imagines) ghosts and spooks in every corner. Then flogs his conspiracy theories to promote himself and his buisness. This probably holds about as much water as the "discovery" of cold fusion and Korean human cloning.
Why aren't we reporting on REAL bugs like the 4 security vulnerabilities found in iTunes this week which opens both Windows and Mac users to external attack? Was the Microsoft bashing quota too low this week?
What is becoming of
Re:Yeah... (Score:5, Insightful)
As Eddie Deezen would say... (Score:3, Funny)
You guys are so dumb, I'd go straight through Falken's Maze.
I just hope David Lightman isn't reading this... we'd only have a few days until it was all over for us...
Patch (Score:3, Insightful)
(Last Journal: Tuesday May 03 2005, @09:38PM)
Who DOCUMENTS their evil backdoor? (Score:5, Insightful)
(http://www.icsi.berkeley.edu/~nweaver/)
Lest we forget that Wine also proved vulnerable, and it was a clean-reimplementation of the specs!
This guy is a moron. (Score:5, Informative)
(http://www.diamondcellar.com/)
"Thank you Microsoft for blessing us with a patch to fix the products
you currently sell. The products that compete with Linux and Macintosh.
Excellent job at diverting the our attention away from the fact that
Windows 95, Windows 98, Windows 98SE, Windows Millennium Edition, and
Windows NT4 remain vulnerable. Neat trick convincing people that "the
vulnerability is not critical because an exploitable attack vector has
not been identified that would yield a Critical severity rating for
these versions."
Lemme see here. Windows 95 is 11 years old. Windows 98 is 8 years old. Windows ME is 6 years old. And Windows NT4 is 9 years old. How many other operating systems offer patches and support product versions for software that is that old?
Ridiculous.
still in use (Score:5, Interesting)
Sun and HP for two (Score:5, Informative)
I know of at least two. Both Sun and HP still provide support or patches for versions of UNIX System V that are older than Windows 98.
Back door flaw? (Score:4, Funny)
Why hasn't he stepped into the WMF interpreter? (Score:5, Interesting)
Backdoor Holes (Score:3, Funny)
Would be a Crappy Backdoor (Score:5, Informative)
(http://www.ermacstudios.org/)
If that's the case, they chose a dumb place to put it, because the exploit doesn't even work on Windows 2000 and below without some program installed to handle WMF files. From Larry Seltzer's blog (linked from F-Secure):
http://blog.ziffdavis.com/seltzer/archive/2006/01/ 03/39684.aspx [ziffdavis.com]
That means that unless Microsoft used some OTHER backdoor to install a handler for it, this backdoor is useless. I suspect this is merely an oversight on their part, and that it just ends up looking bad when you view it from the outside. The only way to know is to see the source code and well, we know how likely that is.
A real backdoor would be something remotely exploitable via the network, as opposed to hiding inside a file or something like that.
Not sure... (Score:3, Insightful)
1 as an input value is one of those classic boundary conditions that developers should always specifically test against (but sometimes don't...along with 0, negative numbers, MAX_whatever, etc)...so I'm not convinced that it was just a coding error. If the "magic key" length was something completely random like 6385492, then I would be more suspicious.
C'mon MS...let's see the code!
When does Microsoft fix the exploit where... (Score:3, Funny)
(Last Journal: Thursday October 17 2002, @10:28AM)
Jumping to conclusions. (Score:4, Informative)
I think that we ARE talking about the SETABORTPROC vuln that everyone has been talking about; Steve just finds that the vuln doesn't work quite the same way that he was expecting. It seems that Steve is basing his accusation on the fact that he had to set the length field of the code containing WMF record to 1 (an illegal value) in order to get his code to execute. While this seems odd (and sounds like a "magic value"), there is likely a better explanation. Here's one possibility... The advisory from Secunia at http://secunia.com/advisories/18255/ [secunia.com] says that the embedded code executes when any error is detected in parsing the WMF file (not only [or ever?] when canceling printing). Maybe the SETABORTPROC function was originally intended for printing but was overloaded to handle parse error callbacks? Depending on how the parsing code was written, it may treat the invalid length value as such a parsing error, but may have already indexed the the beginning of the code block (since it knows the length of the record header) - it just doesn't know when the code block ends. It can then start executing the code block, even though it is an error in the code block's record that caused the error. I wonder if the code block would execute if the correct length was specified but the NEXT record in the WMF contained a similar error (like an invalid length field).
He may very well be correct that someone has intentionally included this mechanism as a backdoor, but he is being premature in making such claims without first consulting the people who have a lot more experience with this vuln than he does. By the way, MS gives access to their source code to a LOT of outside parties - I'm sure that Steve could have found someone to take a look for him.
I don't mean to make an ad hominem attack (this podcast is actually fairly accurate - just jumps to conclusions), but Steve isn't exactly known for being a respected researcher in the security industry - he's a bit of a poser and sensationalist/alarmist. My gut feel is that Steve is continuing on his sensationalist streak, jumping to conclusions and trying to drum up more excitement. He frequently hypes issues to crazy levels and tries to make himself look like a hero/expert. In fact, he usually offers little insight and often tries to pass off regurgitation (often inaccurate) as original research. Just listen to him in this recording talking about "rolling up his sleeves" and "wrote all my own code", etc. Look up his stuff on nano-probes (http://grc.com/np/np.htm [grc.com]) for some funny stuff. I am a security professional and can tell you that much of his writing is BS and/or hyped/obfuscated wording for technologies and techniques that have been in common usage for years and years before he writes about them. I just can't help but take Steve's claims with a grain of salt.
Wine bug compared to MS (Score:3, Interesting)
In fact, the differences between the behaviour of Wine and Windows implies that there is indeed something very unusual about the way Windows handles this special case. Whether it is an intentional problem or just horribly bad coding, that is harder to say.
Other Explanations (Score:3, Interesting)
(http://www.infiniteinjury.org/)
This, however, overlooks many other possibilities and, unless there is other evidence I am unaware of, suggests an ignorance of security vulnerabilities by those making the suggestion. Frequently security vulnerabilities result from data being interpreted in an incorrect fashion as a result of pointer munging or memory collisions. Often some perfectly innocent piece of data (like message length) will get used as an index into some table or mistakenly used in stead of the correct variable in some test and cause incorrect execution or privelege escalation of the user's code.
Even if there is reason to believe this isn't a simple code error like this there are many other explanations other than microsoft or an employees malevolence. For instance imagine this situation:
Initially Metafile execution is designed to execute code in the fashion of the vulnerability with no requirement on the header length. This is perfectly plausible if it was programmed by some new hire without much awareness of security. Hell, it could be a bug introduced to do some sort of debug or get something up and working fast which just got left in the codebase. I'm sure all of us have made a change to our code that screws over security just to do some testing and sometimes people forget about it or get fired.
In any case this security issue in the code base is there and some other parts of windows start relying on it. The security experts eventually notice the issue but by now other parts of windows will break if it gets fixed. Perhaps then the deciscion is made to partially patch the vulnerability but leave a special value for some fields which triggers the old behavior so as not to break the other parts of windows. If this is the case it would explain microsoft's recluctance to patch 95 and other old systems, because a patch would require rewriting some significant part of the system.
Perhaps microsoft even intended to fix the vulnerability but the blah-blah group asks the metafile group to leave in a workaround (the special values) so they can continue to work on the rest of their component. Maybe then the groups are late to the deadline and forget about that issue in their rush. Or perhaps by this time the group members who knew about the workaround have left and no one knows to go back and remove it. Or maybe this is fixed as part of some larger patch applied to the source tree and when it breaks the build late at night and someone calls the metafile team whoever answers doesn't realize its a security issue and backs out the change but forgets to tell the people who made it.
Whether or not I have the details right the point is clear. There are a hundred innocent ways for this sort of vulnerability to arise. It is silly to jump to the conclusion it is an intentional backdoor.
ENOUGH. Gibson was right about raw sockets. (Score:3, Insightful)
(http://slashdot.org/)
After the relentless pounding and smearing of Gibson, Microsoft quietly disabled the raw sockets code, whatever the hell it was.
Gibson was right. They fixed the problem. He was right, The Reg was wrong.
Jesus, it's like arguing with 20,000 Bill O'Reilly's. Truthiness! Gibson is a maaaaadddmaaaannn!
And since people rarely followup to what they think is truthy, they missed the fact that the only reason the Raw Sockets disaster didn't happen is because MICROSOFT QUIETLY FIXED THE PROBLEM, JUST. LIKE. GIBSON. SAID. THEY. SHOULD.
And as for being a top security professional, something he never claimed to be - he's a developer - what makes you all think that the very best security people at the NSA and Microsoft don't already know all about the exploit, because it's one of the many that they placed there in the first place?
Listen, everyperson, Microsoft has cooperated with Justice, the FBI, the NSA and all the other alphabet boys since the beginning. Windows and Office are monitored at will, you can bet your last god damned dollar. Can you imagine MS refusing to cooperate, especially during a ten year monopoly trial??
(originally posted as AC because I'd moderated; however, even posting as an AC, the code retroactively undid my moderation. Didn't know that would happen. A little warning, Slashcode?)
I'm asking "Why?" (Score:3, Interesting)
(Last Journal: Friday April 11 2003, @09:14AM)
If the vunerability was an accident it was stupid and it needs to be fixed. I don't necessarily buy Gibson's reasoning but, I can see how he got there and that is enough to be troubling to me.
Did some rouge programmer think "This is a cool idea? and against the rules just stuck it in there? I can't believe that Microsoft gives anyone that kind of autonomy. They have to have far better code review policies than that. That is harder for me to believe than anything else!
Did some group think that this backdoor coupled with some other software could be used for some acceptable purpose in the future? Did someone say "Hey, with some code off of the Genuine Advantage web site we can use this to disable some features on computers that are running pirated software. This is only an example but I hope you get my point. I can see how something like this may be considered and discussed. I'm not so sure it would make it past the lawyers though. Maybe it was started, aborted, and this was a trace that was forgotten about and slipped bye? This sounds a little far-fetched but I have seen useless bits of code left behind in other coding projects. I'd buy something like this even though it sounds like something out of a bad movie.
Did the NSA or some other agency approach Microsoft and ask to have something like this put in their code? We know that they have asked for encryption code before so that they could examine it so maybe this kind of idea isn't so strange? An exploit that the government knows about could give them a significant advantage in cyber-war. Frankly, this sounds like a Tom Clancy wannabe's plot for a novel. But it could happen.
Honestly though all of this stuff sounds like conspiracy-theory stuff to me. My guess is that it is more innocent than all of that. I'd guess the exploit is a leaving. Something that got left behind from some piece of code that simply didn't make the final cut.
I'd just like Microsoft to explain themselves this one time. Completely, thouroughly, honestly. Then they can tell us what they will do to ensure it won't happen again.
MSRC responds: Intentional Back door? um no. (Score:3, Interesting)
(http://www.stepto.com/default/default.aspx)
http://blogs.technet.com/msrc/archive/2006/01/13/
I emailed Zonk about it but I don't think he's had a chance to update the posting.
Long story short the idea that this is intentional rests on the premise that only an incorrect value produces the vuln. That is totally wrong, both correct and incorrect values trip the vulnerability. Besides doesn't it seem odd to create a backdoor that would require the user to first visit a website? What, were we going to take out a superbowl ad suggesting people visit www.microsoft.com so we could...uh...what exactly?
S.
Gibson wrong yet again. (Score:3, Informative)
(http://slashdot.org/ | Last Journal: Friday June 29, @03:53AM)
See the following post for why this occured.
http://blogs.technet.com/msrc/archive/2006/01/13/