Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Windows Operating Systems Software Security

WMF Flaw not a Backdoor 226

koro666 writes "In a blog post, Mark Russinovich from SysInternals responded to the allegations made by Steve Gibson labeling the flaw as an intentional backdoor. It seems that the hype was about Steve's discovery that the code would only be executed if the size of the metafile record was deliberately tampered with, which is not the case. The technical details are explained in his post."
This discussion has been archived. No new comments can be posted.

WMF Flaw not a Backdoor

Comments Filter:
  • Conspiracy theories don't need reasons backing them up. I still think that microsoft eats babies.
    • Re:it doesn't matter (Score:5, Informative)

      by vdboor ( 827057 ) on Friday January 20, 2006 @08:25AM (#14518202) Homepage
      Conspiracy theories don't need reasons backing them up

      You've got a good point here and it describes the other side of of Steve Gibson [grcsucks.com]. After reading that site, you'll understand his stories are mostly made of popular speak or disinformation, rather then scientifical information.

      So while you may admire him for his charisma, you shouldn't for his expertise. Would you e-mail him about an error, he'll silently correct it as if he'd always known it. You won't find him at an official security conference, but in the eyes of his fanbase he remains a god. I can image people are felling for his stories through, his stories make you get excited easily.
      • scientifical? that's great...
      • You've got a good point here and it describes the other side of of Steve Gibson. After reading that site, you'll understand his stories are mostly made of popular speak or disinformation, rather then scientifical information.

        And he's different from other mainstream media sources how?
      • by Mattcelt ( 454751 ) on Friday January 20, 2006 @10:03AM (#14518815)
        While I'm not an apologist for Gibson, I think it should be pointed out that he stated quite clearly in the original interview that his view on the metafile vulnerability was conjecture, and was based on his limited work with the subsystem.

        This wasn't a Chicken Little incident. I thought it was very reasonable, controlled, open to correction, and intended mostly to elicit a response from Microsoft, which clearly it did. All in all, I think this was a positive exercise in nearly every respect.
        • by monkeydo ( 173558 )
          While I'm not an apologist for Gibson, I think it should be pointed out that he stated quite clearly in the original interview that his view on the metafile vulnerability was conjecture, and was based on his limited work with the subsystem.

          When did he point that out? Certainly not in this interview [grc.com] where he was adamant that the flaw was a deliberate backdoor. The only thing he equivocated on was who at Microsoft knew, and how old it was.

          Steve: ...This was not a mistake. This is not buggy code. This was pu

    • by mysticgoat ( 582871 ) * on Friday January 20, 2006 @12:39PM (#14520124) Homepage Journal

      Conspiracy theories don't need reasons backing them up.

      There is no way to disagree with that, if one accepts the anthropomorphism. s/theories/theorists/ would make this a stronger statement.

      But whatever... At the time this particular exploit was introduced into Windows, there was definitely a conspiracy within Microsoft that involved at the very least mucking about with the documentation of the Windows API.

      One of the reasons that Win30 and Win31 succeeded in capturing the market so quickly was because MS made the Windows API available to application competitors, notably Quattro Pro, then from Borland, and WordPerfect, then from WordPerfect. MS presented Windows as being a Good Thing for the entire software industry and got a lot of needed buy-in on that basis. During the development process for Win31, it was highly significant to the marketplace that Borland, WordPerfect, and other industry leaders of DOS software were writing native Windows versions of their applications, and urging their customers to upgrade from the DOS versions to the Windows versions. (The DOS versions ran better under OS/2 than they did under Windows since OS/2 had preemptive multitasking; moving the market to Windows versions of these products was critical to MS if Windows with its cooperative multitasking was going to survive the OS/2 challenge).

      But MS wasn't playing fair: when Win31 came out, Excel and Word danced rings around Quattro Pro and WordPerfect. And when people started to look at how MS was able to get such better performance out of the same API, they found that the MS application coders were not using the same API at all: they were relying on undocumented features and features that were documented in misleading ways.

      This and similar shenanigans from MS are matters of historic record, vetted by the courts. There can be no question that MS is a company that has used conspiracy tactics to gain market share. There can be no question that MS was doing this at the time it implemented the WMF structure under Windows.

      Where does the WMF vulnerability fit in, in light of this background? Obviously it was not written initially as an internet backdoor.

      But consider an MS application that used a trademarked WMF graphic on its splash screen. That graphic could run a small bit of code that would unlock hidden capabilities in the Windows API. For example, it could set DEBUG=TRUE in some low level part of the task scheduler, turning off chunks of code that other applications would have to wade through, and thus making the MS app so much more efficient in a way that would be undetectable even on dissassembling the code. There is no technical reason why the WMF vulnerability could not have been used in this way. There is no question that the MS corporate culture of that time would have celebrated and rewarded this kind of cleverness. In view of this background, and the fact that this vulnerability managed to survive the intense scrutiny of several major code revisions, the only reasonable assumption is that the WMF vulnerability is a deliberate backdoor and has been kept around because MS has thought it would be useful to them.

      MS has always been a company that has put more value on cleverness than on ethics.

      So the questions now are what has MS used this backdoor for, and what has been their plans for future use? Anyone who has used a Windows machine recently should be wondering what information MS has gathered from them and what MS is doing with that information-- the ability to swap a keyboard logger in and out as different graphics or icons are presented while an application is running is a disturbing thought.

      I continue to think that there is cause here to consider a Grand Jury investigation. I don't see any other way in which MS employees could demonstrate that their unethical business practices haven't transgressed over the fine line and become criminal behaviors.

      • This is an excellent post, the best in this entire discussion. Everyone hates microsoft today of course, but their predatory behavior was far, far worse in the early 1990's.

  • Well, googlefight has Russinovich on the ropes, Gibson comes out well on top as far as hits go.

    However, Mark has been gaining himself a decent reputation recently.

    I know whos opinion and factchecking I trust at the moment.

    Mark Russinovich
    483,000 results

    Steve Gibson
    13,700,000 results
    • by Anonymous Coward on Friday January 20, 2006 @08:26AM (#14518208)
      It's hardly a competition. Mark knows Windows inside and out. He was the first licensee of the Windows NT source code and used it to produce a toolkit that is used as the basis for many of the device drivers that have been produced for Windows. Gibson has written some apps and has shot his mouth off about something before he'd looked closely enough. Sure the documentation for SetAbortProc was wrong, but this is a mechanism that is used in many parts of the Windows API and he should have realised how it was used.

      Hit counts don't count for much. Britney Spears is the highest in terms of web searches. I guess that means she beats both Mark and Gibson.
      • by Anonymous Coward
        Umm, sorry but thats wrong.

        Mark had the opportunity to view the source code, but after reading the NDA he declined as some of the terms meant he would have to stop writing his Sysinternals code.

        Mark was *not* a licensee. He has not used the source code - all his tools are built on reverse engineering.

        This information came from the "Inside Windows Course" run in London by Mark Russinovich and David Solomon.
        Having attended the course and spoken to both of them, I'm very impressed with their knowledge.

        Another
    • by TarikJax ( 919148 ) on Friday January 20, 2006 @08:41AM (#14518265)
      When Gibson was asked about the WMF thing being a back door he immediately replied "that's the only explanation." To me, that's not the language of a man who is open minded. There's no evidence that this is a backdoor other than Gibson's accusation and that is based on a false premise (that the metafile size was the deciding factor).

      • I'm not sure I even care if it is a back door, so much as I care if it can be used as a back door. If the answer to the second circumstance is "yes," then it would seem that what we're seeing in this debate is little more than semanting quibbling.
    • I didn't even knew who Steven Gibson was before this post. Russinovich's site (sysinternals.com) is one of the sites you can't stop visiting if you're doing anything with windows, even NT programmers at Microsoft use it, and Microsoft talks about those programs [sysinternals.com] in several support articles. Just because people has know him after he discovered and analized the sony rootkit doesn't means he has never had a "reputation" as an expert.
    • by qwertphobia ( 825473 ) on Friday January 20, 2006 @09:09AM (#14518423)

      Steve Gibson: 12,700,000 results.

      William Gibson: 21,300,000 results.

      Now who's your daddy?

      • Steve Gibson: 12,700,000 results.

        William Gibson: 21,300,000 results.

        Now who's your daddy?


        35,000,000 for bill gates

        45,200,000 for porn

        233,000,000 for sex

        Good. Now I know who my daddy is.
  • Doorframe (Score:5, Funny)

    by Renraku ( 518261 ) on Friday January 20, 2006 @07:58AM (#14518110) Homepage
    Not quite a backdoor in itself, but it makes a very nice doorframe. Complete with the Windows 'critical flaw of the month' moulding and Welcome mat placed in front of it, just ready for someone with a door to install it into the wall...
    • Re:Doorframe (Score:5, Insightful)

      by Bimo_Dude ( 178966 ) <bimoslash@NosPam.theness.org> on Friday January 20, 2006 @08:04AM (#14518138) Homepage Journal
      Agreed. While it is important to know whether or not this was put in intentionally (IMHO, not intentional), I think what's more important is the fact that it exists, and what can be done to reduce the exposure to this flaw. Educating users is a good start. Maybe more of the mainstream media could cover stories such as this, and include instructions on how to patch / update for those who don't know.
    • by twitter ( 104583 )
      just ready for someone with a door to install it into the wall...

      What wall?

    • So in essence Windows is like the Motel 6 down the street. Vulnerabilities can have a cheap, comfortable room.

      I'm so changing my startup sound on my work machine to "I'm Tom Bodett, and we'll leave the light on for you".
  • by tpgp ( 48001 ) on Friday January 20, 2006 @07:58AM (#14518111) Homepage
    At least not many people I know.

    I think the real question about this WMF vulnerability is how on earth could it have survived five years under the new security aware, code auditting regime that we supposedly have at Microsoft?

    (Please don't reply that the wine people implemented it too - their goal reimplement the windows API, not audit it for security)
    • by Anonymous Coward on Friday January 20, 2006 @08:12AM (#14518154)
      I think the real question about this WMF vulnerability is how on earth could it have survived five years under the new security aware, code auditting regime that we supposedly have at Microsoft?

      (Please don't reply that the wine people implemented it too - their goal reimplement the windows API, not audit it for security)


      Sorry if I don't care about your rules for what I may and may not reply, but that the wine group did implement it says a whole lot of how difficult it was to spot. Their goal was to reimplement the API, sure, but you can bet your ass that they would have reported it if they saw it. And they did, despite it being right under their noses. Even Russinovich makes this point (but I guess you didn't really read TFA anyway, did you?). Forgive me if I trust his judgement a little more than yours.

      That doesn't say anything bad about wine coders, who, as we all know, are pretty good coders, but it does about the subtlety of the issue. Yes, MS deserves some blame. But let's keep things in proportion -- this was a tricky little bug.
      • Well, as their name subtlely denotes, backdoors are on the back, hence the difficulty to spot them if not proactively looked for.

        That must be the raison d'etre for constructing them in the back.

        And, to conclude, if it is built like a backdoor, and squeaks like a backdoor, it must be a...

      • by tpgp ( 48001 ) on Friday January 20, 2006 @08:33AM (#14518228) Homepage
        Sorry if I don't care about your rules for what I may and may not reply, but that the wine group did implement it says a whole lot of how difficult it was to spot.

        My point was that the wine people's goal was to reimplement. Not audit.

        MS's goal over the last 5 years was to audit. You would think they would have looked particularly hard at code with roots in Windows 3.1 (which, as Russinovich pointed out is a common source of poor API design)

        Their goal was to reimplement the API, sure, but you can bet your ass that they would have reported it if they saw it. And they did, despite it being right under their noses. Even Russinovich makes this point (but I guess you didn't really read TFA anyway, did you?). Forgive me if I trust his judgement a little more than yours.

        Well, forgive me if I don't trust some MS shill posting anonymously on slashdot, especially when they say:

        That doesn't say anything bad about wine coders, who, as we all know, are pretty good coders, but it does about the subtlety of the issue. Yes, MS deserves some blame. But let's keep things in proportion -- this was a tricky little bug. [emphasis mine]

        MS deserves some blame? Who else should we blame? The wine group? Mark? Steve Gibson? Slashdotters?

        Microsft deserves all the blame for this - they're responsible for the bad design, the bad implementation and the lax audit. Suggesting they only deserve a portion of the blame shows your bias.
        • Comment removed (Score:5, Insightful)

          by account_deleted ( 4530225 ) on Friday January 20, 2006 @08:48AM (#14518298)
          Comment removed based on user account deletion
          • AFAIK, the Wine people probably know about a lot of things in Wine that aren't securely designed. Doing secure software design is hard even for simple software, and when someone else has already done the design and you're worried about trying to make (often broken) code written to their design work under your system, it's not so obvious.

            That being said, I'm not saying that I couldn't see them raising it, but it's not as if they were proposing designs and some guy was pointing out security holes in the desi
          • Simple.
            The code for winevdm (Win16 layer implementation) traces it's existance back to the days before windows 95 (!)
            It implements a function called WOWCallback16Ex which executes 16-bit code passed in an array parameter. Normally you can't do stuff like that in linux, but winevdm uses the special features of 32-bit x86 processors to put the process in vm86 mode where you can do pretty much anything.
            This was used to implement a lot of the callbacks in Wine's 16-bit GDI layer... support for 16-bit printer dr
        • MS deserves some blame? Who else should we blame? The wine group? Mark? Steve Gibson? Slashdotters?

          You've never had a security flaw in your code? It's an *accident*, the same as when the postman falls over and breaks your parcel. Oh wait, I forget, in America there's always someone to sue.

          • christ man, there are many many many..

            the mailman sues his employers, for putting him in harms way
            the manufacturer of his footwear, for it not being slip resistant enough
            the manufacturer of his mailbag, for a capacity spec that allowed him to get so top heavy/off center
            you, for shipping/recieving dangerous goods that did not break his fall- and gave him a nasty bruise an emotional disturbance.

            the people who witnessed the event all sue the above, plus the mailman, for emotional disturbance
            the USPS sues all t
          • You've never had a security flaw in your code? It's an *accident*, the same as when the postman falls over and breaks your parcel. Oh wait, I forget, in America there's always someone to sue.

            So who shares responsibility with MS over accidents? No one. There's no one else to blame. As mentioned before, MS is responsible for its code, so it shoulders sole blame for accidents in its code. Not "some" of the blame. All of it.

            Having said that, shouldering the sole blame for a bug seems pretty minor. MS relea

        • "Microsft deserves all the blame for this - they're responsible for the bad design, the bad implementation and the lax audit. Suggesting they only deserve a portion of the blame shows your bias."

          You may want to read this article [abc.net.au] next time you fill up your bucket with tar and start stripping the feather dusters. Throwing blame around doesn't help anyone, and only shows your own bias.

      • What I'm not seeing in these discussions is the fact that what Steve Gibson found was very poor coding which resulted in executing code stored in a media file. A simple check of the illegal header size value should have rejected the media file but instead, it went ahead and adjusted some pointer which resulted in executing code.

        There are really two issues here. One is that the WMF spec allows for executing code stored within a WMF file and secondly, the fact that an illegally constructed WMF file( bad lengt
        • Sorry for the reply to my own post but I just ran Steve Gibsons test app on an earlier version of WINE( 06/28/2005 ) and it does not have the illegal WMF header structure flaw.

          So while the WINE people implemented Microsofts WMF Spec correctly, it appears they did NOT follow Microsofts practice of allowing an invalid WMF file to continue on and implement/execute the SetAbortProc vulnerability.

          LoB

          • Actually, they did. No, Gibsons's original exploit didn't work, but he later modified it in a way that it did work. You can find the code here:

            http://www.grc.com/x/news.exe?cmd=article&group=gr c.news.feedback&item=60751&utag= [grc.com]
            • Sorry, that URL is invalid so I can't test that particular executable, but I did find his new "MouseTrap.exe" WMF vulnerability test. The point I still want to make is that the original KnockKnock.exe test did not work on WINE. This program used the len==1 problem Windows has with not testing for a valid WMF file and then continuing on with the bad WMF file and immediately starts executing code in the WMF file. Mr Gibson found this flaw when first attepting to create a test program to see if the original W
              • Gibson admits he was wrong about the length=1 issue. His problem was that his test metafile only had one record, and Windows deliberately doesn't call SetAbortProc on the last record (in his case, the only record) because there's no reason to cancel a single record. His exploit only works by fooling Windows into thinking there are more records.
          • Here I go again, replying to my own message but since someone already showed that they don't get my point, I'll show the code I found in WINE to show that WINE does test for 'len equal to 1' backdoor execution and does NOT erroneously continue on. I looked at the code from metafile.c and it tests the size value in the header for a valid size.

            it first sets the varible 'size' to the size of the METAHEADER structure, allocates some memory before it reads that many bytes of the MWF file:

            METAHEADER *MF_ReadMetaF

    • Comment removed based on user account deletion
    • "how on earth could it have survived five years under the new security aware, code auditting regime that we supposedly have at Microsoft?"

      It takes time to look trough 35 milion (Windows 2000) - 40 milion (Windows XP) lines of code...even for a big company.

      Slightly off topic but I was plesantly supprised to see that in Visual Studio 2005 (probably where there already in VS 2003 but I've never used that one) most of the offending runtime functions (memcpy, strcpy etc) have been marked deprecated and replaced
    • The thing is, with all the lines of code in Windows, you don't really think that they looked at all of them ? There are most certainly a bunch of other flaws in Windows. It's just that nobody with the will to share it has found any yet.

      --
      Krazy Kat [ignatzmouse.net]
    • As far as I know, Wine has never implemented the actual vulnerability, i.e. execution of the code included in the wmf file. The did implement SetAbortProc for screen rendering, and ripped it out when the Microsoft vulnerability came to light just to be on the safe side. From dlls/gdi/metafile.c history:

      revision 1.12
      date: 2006-01-06 20:52:46 +0000; author: julliard; state: Exp; lines: +7 -0
      Marcus Meissner
      gdi: Filter GETSCALINGFACTOR and SETABORTDOC proc in metafile
      Escapes.

    • Gibson is a crackpot.

      I gave up listening to him when I read his conspiracy theory for S.M.A.R.T. hard drives. Gee, so S.M.A.R.T. makes his software obsolete? Sounds like a marketing tactic.
    • Another thing this points out is just how much Microsoft resists open standards. As far as I can tell, the chief reason WMF was and is still widely supported in Windows is that it effectively emulates vector graphics. How many opportunities did Microsoft turn down to put in SVG, PDF, or similar support?
    • You mean, their goal is to make Linux as insecure as Windows?

      Seriously, it would surprise the hell out of me if the Wine's team position on this was to favor compatibility over security. If that is indeed their position, then they should be keel hauled over it.
  • ride the wave (Score:5, Insightful)

    by DeveloperAdvantage ( 923539 ) on Friday January 20, 2006 @08:00AM (#14518120) Homepage
    because the issue continues to draw media attention I've decided to publicly document my investigation.

    i.e., I'd better hurry and get this out before nobody cares. :)
  • by digitaldc ( 879047 ) on Friday January 20, 2006 @08:23AM (#14518190)
    First of all, that was extremely wordy article to explain the WMF vulnerability, IMHO. But some important points were made:

    if an attacker can get your computer to execute their WMF file through Internet Explorer or Outlook, for example, they can make your system execute arbitrary Windows commands, including downloading malicious applications and launching them.

    My belief is that Microsoft developers decided to implement as much as the GDI function-set as possible.

    In any case, its not clear that the developers envisioned applications creating on-disk metafiles with abort procedures.

    ...given a choice of believing there was malicious intent or poor design behind this implementation, I'll pick poor design.


    Either way, it is still hard to tell why it was designed that way in the first place, maybe one of these [microsoft.com] links can tell us?
    • by m50d ( 797211 ) on Friday January 20, 2006 @08:56AM (#14518355) Homepage Journal
      When a program sends a document to a printer, the program is already running, so if you allow it to execute arbitrary code by doing so, no biggie, it's worth it if you get some useful functionality out of it. Especially in the window 3.1 days.

      If you want to render something postscript-like onto a screen, why not just reuse the printer code?

      I can see how it happened. The original introduction of setabortproc violated separation of code and data, but it was needed for performance - and on the kind of hardware win3.1 ran on, that was vital. I suppose it shows that you should never compromise on design for the sake of performace - but in the real world, you have to. May I also point out that if the x86 had a working way to mark memory non-execute then this wouldn't be a problem.

    • by spectecjr ( 31235 ) on Friday January 20, 2006 @10:02AM (#14518808) Homepage
      Either way, it is still hard to tell why it was designed that way in the first place, maybe one of these links can tell us?

      It's quite simple:

      WMF is used under the hood in lots of places in GDI. Any time GDI passes a bunch o' commands from one place to another, you'll find WMF. And as a result, WMF encapsulates almost everything you can do with GDI.

      SetAbortProc is used to allow an app to display a custom "Printing Page xxx of xxx... [Cancel]" dialog to be displayed on Windows 2.0, 3.0 and 3.1, all of which are cooperatively multitasking and so need to drain their message queues on a regular basis - which they do every time that AbortProc is called.

      There are even examples of this exact behavior on MSDN. It's still semi-useful under later versions of windows to be able to do this, and it's good for backwards compatibility, so it stuck around.
  • by AHuxley ( 892839 ) on Friday January 20, 2006 @08:33AM (#14518232) Journal
    Never attribute to malice what can be adequately explained
    by stupidity.

    Why waste time putting in a backdoor? Just ship the OS around the world and enjoy.
    With an expensive scaled up consumer operating system - the operating system is the backdoor.

  • by terjeber ( 856226 ) on Friday January 20, 2006 @08:34AM (#14518235)
    So, why would M$ (or anyone there) need to create such an elaborate "back door" to Windows? I mean, they could put anything in anywhere they wanted to. If they wanted to download some stuff to my PC and execute it they could distribute it as an update. They could add the code to IE or the kernel. This is one of the dumber conspiracy theories I have read.
    • In a way they don't even have to use a back door to deliver secret code to Windows users. Just deliver it over Windows Update.
    • If they wanted to download some stuff to my PC and execute it they could distribute it as an update. They could add the code to IE or the kernel. This is one of the dumber conspiracy theories I have read.

      So, you think that M$ can and have put backdoors into your system but you still use it? Now that's dumb. Who needs conspiracies when everyone accepts their reasoning as good business practice? Here's a little refresher on what backdoors are all about.

      The reasons for backdoors is so that you and your fr

      • So, you think that M$ can and have put backdoors into your system

        Did I say that? I can't remember saying that I think M$ has put backdoors in my system. I was just saying that they can, easily. Would they? Probably not. They would be stupid to. As with most conspiracy theories this doesn't take into the account the simple fact that in any sizable organization, CIA included, you simply cannot keep secrets for that long.

        If M$ put backdoors in their systems employees leaving M$ for one reason or another,

    • The idea was that it isn't Microsoft -- as you said, Microsoft has no reason to stuff a back door into the software. However, Microsoft has an awful lot of employees, and one of *them* might have thought that it would be fun to secretly introduce a back door.

      Remember Apple engineers introducing Easter eggs that the company didn't know about? Same idea.

      I think that it's safe to say that this really is just a bad design that never got examined by someone involved with securing software, and not an intention
  • by Anonymous Coward on Friday January 20, 2006 @08:53AM (#14518334)
    ... when you can just throw a small rock through windows!
  • Steve (Score:4, Funny)

    by timbrown ( 578202 ) <slashdot@machine.org.uk> on Friday January 20, 2006 @09:15AM (#14518464) Homepage
    Perhaps Steve would like to present his findings at the next DunceHats [duncehats.org] security conference. We could do with people of his caliber.
  • It IS Hype (Score:4, Insightful)

    by LittleLebowskiUrbanA ( 619114 ) on Friday January 20, 2006 @09:16AM (#14518469) Homepage Journal
    and that's all Steve Gibson does. If I read one more blurb about how great it is that he can code in assembly...
    • Re:It IS Hype (Score:3, Insightful)

      If I read one more blurb about how great it is that he can code in assembly...

      Right, he codes Win32 apps in assembly. So he has the ability to dis-assemble the WMF player code and figure out what's really going on. Instead, he made a couple shallow observations and jumped immediately to a conspiracy theory.
    • by RubberDogBone ( 851604 ) * on Friday January 20, 2006 @09:38AM (#14518621)
      But but but! Don't you know, he can code Windows on the back of a napkin in his hand-optimised assembler code!!! /sarcasm

    • assembly is for wimps.

      copy con: program.com
      alt-###, alt-###, alt-###...

      and yes, I actually used that means to program a keylogger executable into a machine that had it's body locked in a cabinet, so only the keyboard and screen were accessable.

      but real programmers use toggle switches.
  • Steve Gibson gave his final word on this matter in a thisweekintech podcast interview: http://thisweekintech.com/sn23 [thisweekintech.com] Briefly, someone at Microsoft had the bright idea that one should be able to run code inside an image, for whatever reason. This left a backdoor, probably unintentional. Mr. Gibson regrets that his use of the term "backdoor" implied malice to some people. This was not his intention.
    • There's no such thing as an unintentional backdoor.
      A backdoor is something you purposefully build into your software, like you purposefully build a back door into your house. An accidental backdoor would be like a hole in the wall. You know, a SECURITY HOLE. Steve is just making shit up as he goes along, convienently redefining words.
  • I think everyone would agree that Steve Gibson is a technically-gifted person, but we should also agree that the guy is a little wacky, just like we should also all agree that Theo De Raadt is a little hot-headed. Not that this makes Steve or Theo a bad person - quite the contrary! It's just that when they make grand pronouncements, the pronouncements should be viewed skeptically. Anybody remember the controversy over NSAKEY [wikipedia.org] a few years ago? I.e., a flurry of wild allegations over something used for code signing that no one now cares about now that it's named something less offensive (_KEY2 for those playing along at home). It's easy to get all hot-headed and worried and freaked out, but that's the antithesis of what a information security officer is supposed to do. They are supposed to stay calm and rational in times of crisis, never jumping to conclusions (because most of the time, those conclusions are worse than wrong: they are misleading). Well, I'm ranting but you get the picture.

    • Steve Gibson is not technically gifted. He may understand computers and software but he only has a shallow understanding of computer security. Gibson does a decent job of sumarizing what other security professionals write. And he does a very good job of writing about himself.
  • Not to add to the continual Linux vs Windows battle-royal here on /. but this is exactly where being able to look at the source code helps. There would be no conspiracy theory if we could see the code related to WMF files. The most we'd be able to do is say "Damn, why'd they do it that way?". As one of the readers already posted, Mark Russinovich has seen the NT source, and is in the best position to say what is or isn't in the code. The rest of us are left to listen to whatever source seems credible at th
    • This would be true, if you avoid the fact that Steve Gibson take pride in coding his Windows apps in assembler. The normal release-compiled assembler x86 isn't that hard to grok, if you really claim to be a wiz at decoding it yourself. The debug symbols are out there for you to grab, too, so you get it nicely split up into functions.
  • What else is there to say? It's a bit of legacy code left over from the days when it was safe to assume that any code on a computer had been put their with the owner's knowledge and consent. That assumption has since been invalidated by subsequent events. A backdoor it may be -- but when it was put there, there used to be a fence around the back garden.

    And this is just one example of a whole class of things that are really, seriously, terribly wrong with Windows {and for that matter, closed-source sof
    • Now, if Microsoft change the way Windows works so as not to just hand out permission for any process to interfere with any other process, then the worms and viruses that depend on this behaviour will die off -- but so will all those applications that depend on this broken behaviour.

      If Microsoft did that, it would be a hell of a lot more difficult to debug applications. It would bring things back to the "core-dump" era where core files had to be manually inspected as opposed to just loading up the debugge

  • Of Course It's Not (Score:3, Insightful)

    by xrayspx ( 13127 ) on Friday January 20, 2006 @11:42AM (#14519608) Homepage
    But it succeeded in getting people to see the name Steve Gibson on a website again. From the plagarizer of SynCookies, the father of Raw Sockets paranoia, comes a new wild and unfounded allegation, WMF bugs put there intentionally to let Microsoft SPY ON EVERYTHING YOU DO OMGWTF!

    I can't believe people on the last thread actually took him seriously without looking at his past media whoring failed attempts at security analasis.

    Steve Gibson [grcsucks.com] is the Bob Lazar [ufomind.com] of the security field, only wackier.

  • who is REALLY is responsible for this flaw? I don't think Steve Gibson created this thing and IMO, he thought he was exposing something which looked pretty much like it had to be intentional. And without the code to see how this software REALLY worked, his conclusions were correct based on the data he had.

    Now, back to who is really responsible. It's Microsoft period. Even after they claimed to have rewritten there OS's after every other release, a hole the size of Kansas was left in since the early 90's? Co
  • by Futurepower(R) ( 558542 ) on Friday January 20, 2006 @12:36PM (#14520103) Homepage
    The sociology of this is more interesting than the programming details, in my opinion. It often happens that one person in the computer industry analyzes an abuse, and another person, who is competing for attention, attacks the first person. Admittedly, Steve Gibson of grc.com has a flawed, exaggerated manner of communicating. But many abuses never are fully recognized because technical people attack each other, rather than analyze carefully how they are being abused.

    As others have mentioned in comments I have excerpted below, the U.S. government stated clearly and for the record that it wanted access to all computers. It appears that the government got what it wanted in what I think I can show logically is the only way possible.

    Mark Russinovich of SysInternals [sysinternals.com] is an extremely competent programmer. His utilities for Windows are the best available. Even Microsoft recommends using them, to supplement the limited and unfinished and flawed utilities supplied with Windows. However, Mark Russinovich is not a sociologist, so his comments may not take into account the complexities of the social issues.

    The main issue seems to be, not that graphics files have the ability to execute code, but why was there inadequate testing in the code to prevent security vulnerabilities?

    Here are quotes from Mark's article:

    "The actual reason is lost with the original developer of the API, but my guess is that he or she was being as flexible as possible."

    And: "... given a choice of believing there was malicious intent or poor design behind this implementation, I'll pick poor design. After all, there are plenty of such examples all throughout the Windows API, especially in the part of the API that has its roots in Windows 3.1. The bottom line is that I'm convinced that this behavior, while intentional, is not a secret backdoor."

    Mark's perception of Microsoft's sloppiness seems correct to me. I coded a program for Windows 3.1 using the Windows 3.1 API that dialed to a bulletin board and downloaded stock quotes. I was amazed at the extreme sloppiness and bad design of the Com port API. The actual code that Microsoft shipped had the quality of code that I would expect from an overtired programmer's first draft. A rested programmer would not have been so sloppy, even in his first proof-of-concept code.

    Quotes from the comments:

    "Thanks for this excellent analysis! Steve Gibson certainly does not deserver to be taken seriously by anyone, but unfortunately he is :-("

    This is a reference to the fact that Gibson's language often contains a hysterical, exaggerated quality.

    Another comment -- This commenter makes the point that Microsoft had hired a technically knowledgeable top manager, who would certainly demand that programmers check the security of any code that is supplied by a user:

    "Q: When was this backdoor coded?
    A: About 1992.
    Q: How old was VMS at that time?
    A: 15 years.
    Q: Who directed the development of Windows NT?
    A: Dave Cutler.
    Q: What's Cutler's background.
    A: Directed VMS at DEC.
    Q: On who's watch was this security lapse ported into the Windows NT stream.
    A: Presumably Cutler's.

    While anything's possible, it's hard to imagine how a security lapse of this magnitude (trusting user-written code) could have made its way into VMS code.


    "The point is that Stephen Toulouse's "the security landscape in the early 1990's was very different than today" is, well, self-serving. Only in MS's myoptic view is this the case."

    Another comment:

    "Now that I think about it, even Mark has to guess at what some coder was thinking when she wrote this, and maybe she did it intentionally. You'll never know will you? Maybe somebody's been watching all of us for years, and it ends up in some massive NSA database."

    An
  • So, just so that we're all on the same page...

    Do we all really beleive that there's no backdoor in Windows XP?

    Or just that the WMF "problem" isn't it?

    Frankly, I'd be shocked if Microsoft didn't insert a backdoor into Windows somehwere. Apparently, the Chinese were woried enough about this very problem that they set up a program to look things over [com.com], and they're still looking into Windows alternatives.

Keep your boss's boss off your boss's back.

Working...