decoration decoration
Stories

GROKLAW
When you want to know more...
decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books

Gear

Groklaw Gear

Click here to send an email to the editor of this weblog.


You won't find me on Facebook


Donate

Donate Paypal


No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.


What's New

STORIES
No new stories

COMMENTS last 48 hrs
No new comments


Sponsors

Hosting:
hosted by ibiblio

On servers donated to ibiblio by AMD.

Webmaster
Steve Gibson: MS WMF is a Backdoor, Not a Coding Mistake - Updated 2Xs
Friday, January 13 2006 @ 11:18 AM EST

Those of you using Microsoft Windows 2000 or XP will want to follow this story: Steve Gibson has examined WMF and he now believes it was deliberately coded. It looks to him that Microsoft put a backdoor into Windows, which can be triggered even if Active X is turned off and security is at high. It could be a renegade coder, he says, but it's not, in his view, bad design or a mistake.

I can't evaluate what he says, but if it's true it is so serious to your privacy and security, I would feel irresponsible not to point you to his podcast, so you can evaluate for yourself. So the podcast is here. Also, there are a number of Sony lawsuits going on, and some are considering settling. They also might like to know about this issue.

He is still testing, so this is a preliminary finding. It's possible that in a week he'll have more answers or a different explanation. Microsoft has yet to speak. Gibson is not an Open Source advocate, but he says he's gravitating toward it now.

Warning: you have to get through some graceless conversation about whether to use hacker or cracker, but that's just the first couple of minutes.

UPDATE: An explanation from the Microsoft Security Response Center Blog.

2d Update: Mark Russinovich, on why he believes it was poor design, not a backdoor.

3d UPDATE: Gibson acknowledges one mistake, but stands by his view that this was coded intentionally.

After acknowledging his mistake because the test metafile only had a single record, "I talked about ... the fact that the metafile record had to, apparently, in my case had to be set to an incorrect length in order to make this happen", Gibson is asked if that destroys his premise that this was coded deliberately:

LEO: Does that destroy your argument, or does it impact the argument?

STEVE: Well, I don't think it does. I mean, certainly it takes some of the edge off of it. But when I did finally look at Windows - I mean, and believe me, Leo, I was holding my breath that, you know, as I said, I might end up retracting everything and be completely wrong about this - when I looked at Windows I saw, I mean, as clear an example of intention as I have ever seen. I mean, this was just code designed to do this, code designed to jump into the metafile image and run the code contained in the image.

LEO: Now, Stephen Toulouse, who blogged about this for Microsoft, said, well, sure it's intentional, but it's intentional with a benign point of view. It was to allow GDI functionality; right?

STEVE: No. No one ever believed, I mean, no documentation, no common practice, no use ever had metafile images running code. I mean nowhere. I've put together and I've further fleshed out the page that I began last week. It was just sort of a placeholder page. It's at GRC.com/wmf/wmf.htm - WMF, of course, for Windows MetaFile. I've laid the whole thing out. I've got a screenshot and link to Microsoft's original documentation from Windows 3.0 and 3.1 explaining what this whole ABORTPROC thing is, and that it is for executing code in the user's application. I mean, it makes - it's crazy to think that even Microsoft at any time in the past would have thought that it made sense to mix code with drawing commands.

LEO: So the only reason you'd put this in is why?

STEVE: The only reason is to run code in an image, which has never been sanctioned, never documented, and, I mean, makes no practical sense.

LEO: There's no other legitimate use of that. It's so that you could put code in an image.

STEVE: Well, exactly. And, even more so, when a program runs, the Windows Loader does all kinds of fancy things, fixing up and filling out that IAT that we talked about a long time ago with RootkitRevealer, the Import Address Table, which essentially connects the application into the Windows API. If you're code running in an image, you have no advantage of Windows Loader, which basically makes it feasible for you to talk to the rest of Windows. Ilfak, in his vulnerability tester, because of this had to go through all kinds of very tricky hacker hoops in order to explicitly get access to Windows in order to just pop up his little dialogue that said you are or you are not vulnerable. It was a lot of work.

So, I mean, it just - it doesn't make sense that Microsoft could have ever published the idea of doing this; yet not only did I look at this, at the way this is implemented, but our friend Mark Russinovich from Sysinternals, he looked at it and sent me email, which I have a link to also on our WMF page. He analyzed this and concluded, just as I had, that this was intentional. He was not comfortable saying it was a backdoor. And, I mean, I respect his opinion. You know, "backdoor," as I said, is a very loaded word that carries with it all kinds of, you know, implicit malice, which I never meant to imply. But Mark, looking at the same code I have, and actually several other people, too, recognized that, for whatever reason, this is what the coder intended.


  


Steve Gibson: MS WMF is a Backdoor, Not a Coding Mistake - Updated 2Xs | 513 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
Corrections Go Here
Authored by: Weeble on Friday, January 13 2006 @ 11:42 AM EST
In case there are any.

---
You Never Know What You're Going to Learn--or Learn About--on Groklaw!
(NOTE: Click the "Weeble" link for Copying Permissions and Contact Info.)

[ Reply to This | # ]

OT here, please
Authored by: overshoot on Friday, January 13 2006 @ 11:43 AM EST
Please be courteous and make links clickable HTML. Instructions at bottom of
comment pane.

[ Reply to This | # ]

Steve Gibson: MS WMF is a Backdoor, Not a Coding Mistake
Authored by: Anonymous on Friday, January 13 2006 @ 11:46 AM EST
Is there a link?

[ Reply to This | # ]

Gross Naivity rather than Backdoor I expect
Authored by: Anonymous on Friday, January 13 2006 @ 11:52 AM EST
WMF dates back to the times when MS were thinking that putting the capability to
execute code in every file format was a great idea. It's therefore likely to be
part of that misguided (to say the least - mindbooglingly stupid would be
another phrase) policy rather than a malevolent backdoor...

[ Reply to This | # ]

Steve Gibson: MS WMF is a Backdoor, Not a Coding Mistake
Authored by: Anonymous on Friday, January 13 2006 @ 12:11 PM EST
I avoid the use of the term "Hacker" or "Cracker" when
referring to people that break into other people's computer systems.

I prefer to use the term "criminal".

[ Reply to This | # ]

Umm, Steve Gibson is a crank
Authored by: Anonymous on Friday, January 13 2006 @ 12:11 PM EST

Sorry, but Steve Gibson is well-known for making outrageous and patently false statements and generally not having a clue what he is talking about. He is a self-proclaimed security "expert" who gets by with snake-oil and lots of muddling. Please don't take anything he says seriously. Read the Wikipedia article on him and the sources it links to if you don't believe me.

Not that I'd put it past M$ to install such a backdoor, but coming from this source I'd say it's more likely they didn't.

[ Reply to This | # ]

Second source?
Authored by: Anonymous on Friday, January 13 2006 @ 12:17 PM EST
Gibson may well be right about this, but he does have a habit of
oversensationalising things. Is there any independent confirmation?

[ Reply to This | # ]

  • Second source? - Authored by: Anonymous on Saturday, January 21 2006 @ 09:01 AM EST
Seriously Doubt this
Authored by: Anonymous on Friday, January 13 2006 @ 12:23 PM EST
One fact that this guy ignores: Wine also has the WMF vulnerability. Wine has
no MS code in it. They just followed the specs.

Just bad design, not a deliberate backdoor.

[ Reply to This | # ]

Steve Gibson Credibility
Authored by: archanoid on Friday, January 13 2006 @ 12:29 PM EST
PJ, I would be wary of taking much of what Steve Gibson says and running with it. He is widely known by many well respected folks (Fyodor, whom I respect, for instance) as being something along the lines of Dan Lyons, Maureen O'Gara, et. al.

Here is a discussion from the last time Steve Gibson reared up where he is referred to as "a media slut" and "a charlatan" (not that name calling debunks his work, it is just an idea of how he is widely viewed).

I have personally read and evaluated his rants about XP raw sockets and (as is now evidenced by the fact that his dire predictions never came to fruition) found him to be wholly unbelievable.

WMF may or may not be a backdoor. But "never attribute to malice what can be adequately explained by stupidity." I think that's an apt rule here and Mr. Gibson is likely trolling for hits.

[ Reply to This | # ]

Not surprising, really
Authored by: cybervegan on Friday, January 13 2006 @ 12:40 PM EST
WMF is not really a *format* as such.

It stands for Windows Metafile Format, and just like so many of MS's
"formats" it's just a memory dump - this time it's effectively a dump
of the windows GDI (Graphics Device Interface) procedures and parameters
required to draw the image on a device context (i.e. the screen or a printer).

WMF has been problematic since early versions of windows, but has fortunately
fallen into obscurity until recently.

regards,
-cybervegan

---
Software source code is a bit like underwear - you only want to show it off in
public if it's clean and tidy. Refusal could be due to embarrassment or shame...

[ Reply to This | # ]

I call BS
Authored by: Anonymous on Friday, January 13 2006 @ 12:41 PM EST
I'm too lazy to make an account. Contact me (Nicholas Weaver) at
nweaver@gmail.com

This isn't a deliberate backdoor, it is an old and DOCUMENT desgn flaw dating
back to the Win3.1 days. Its a way for a graphics document (WMF) to efficiently
render to hardware and have a mechanism to escape to do something to fix things
IF something happens.

Its depricated, DOCUMENTED (do you really document your Super L337 BackDoor?),
and legacy.

The lesson in WMF is not that its a backdoor, but the danger of backwards
compatability. Something which really actually made sense in the days of Win3.1
and DOS might (and often is) be totally out of place in the days of WinXP.
Microsoft's problem, unlike Apple, is that it can't or won't throw out the
old.

[ Reply to This | # ]

Steve Gibson: MS WMF is a Backdoor, Not a Coding Mistake
Authored by: gbl on Friday, January 13 2006 @ 12:44 PM EST
The real problem is not executable code within a data file - it's the way Windows agressively seeks out executable code in files and then executes it.

Remember a couple of years ago when it was discovered that Javascript in the comment field of a GIF or PNG file was run within Internet Explorer.

Windows is open, it's just the bad kind of open :-)

---
If you love some code, set it free.

[ Reply to This | # ]

Interesting
Authored by: edal on Friday, January 13 2006 @ 12:52 PM EST
Is this one of the NSA backdoors that everyone was talking about a while ago?

Ed Almos
Budapest

[ Reply to This | # ]

Transcripts here
Authored by: Anonymous on Friday, January 13 2006 @ 12:53 PM EST
Hi<P>
Steve Gibson has posted transcripts here:<P>
<A href="http://www.grc.com/SecurityNow.htm#22">Several
formats</A><P>
I second the notion that he's a sensationalist. His Shields Up! testing is very
useful, though :)

[ Reply to This | # ]

Transcripts here
Authored by: Anonymous on Friday, January 13 2006 @ 12:58 PM EST
Hi

Steve Gibson has posted transcripts here in several formats.

I second the notion that he's a sensationalist, and would like independent assessments of this material. His Shields Up! testing is very useful, though :)

[ Reply to This | # ]

Steve Gibson: MS WMF is a Backdoor, Not a Coding Mistake
Authored by: Anonymous on Friday, January 13 2006 @ 01:07 PM EST
I agree with Steve. I felt this from the very first time I heard about the
exploit. My reasoning:

* ANY REASONABLE CODE REVIEW of such an important file format would have found
this problem.

* This file format has been around for 15 years like this. That's an ETERNITY
in computing. How could it not have been known to at least Microsoft? Are they
that ignorant of their own codebase? I doubt it.

* The attack vector is perfect for exploiters. No overflows needed, easily
fools most apps by disguising as other file types (because Microsoft is
deliberately ignorant of MIME types in some important apps and circumstances),
and it even hooks into GDI!!!

In my opinion, the real scandal here is not the worms from script kiddies that
surfaced after the exploit was made public. The scandal is that EVERY
INSTITUTION using a Windows computer was likely vulnerable to being spyed on by
anyone who was "in the know" on this exploit. Think of all the banks,
government agencies, hell even WARSHIPS, that use Windows in some flavor, and
you can see how this is an absolutely detestable back door. How much crime or
spying (or criminal spying) has occured due to Microsoft's negligence? How can
an EULA protect Microsoft from such an obvious and critical defect?

This is the sort of thing we should be having congressional hearings on!!!

[ Reply to This | # ]

This looks like a Programming Error To Me
Authored by: Prototrm on Friday, January 13 2006 @ 01:11 PM EST
First, IANAL, but IAAP (I *am* a programmer). This does look suspicious at first
glance, but I think Steve Gibson is wrong. Let me explain.

The graphics format consist of multiple records, the first part of which tells
Windows how long the record is (so it can find the next one). This length value
must be greater than 6, or the file cannot be read (that's the length of stuff
that *has* to be in every record, by definition).

The format also has, as part of its design, a "call back" that Windows
would use if the user is printing the graphic and cancells the job before it
finishes. Steve says this callback address is useless in a WMF file.

If the length value is "1", and a callback address exists in the WMF
file, Steve says that Windows will automatically start executing the contents of
the record.

To me, this does look like it could be a programming error, with a combination
of internal factors causing the first non-header location in the WMF record to
be executed instead of a routine specific to the WMF file itself. I think it's
significant that Steve reports that the code in the record is executed, rather
than following the "call back" pointer. Another problem for me is that
Steve reports it only happens when the length value is "1", not
"0" (he doesn't say if it happens for values of "2" through
"5", which is what I'd like to know). I wouldn't expect it to happen
on a value of "0", but "1" or "2", yes. If it only
happens on "1", that would raise my suspicions a bit. Why would
"1" be special?

My conclusion is that this is indeed a bug in the system, not a deliberate back
door, but additional testing is needed to see just what the true vulnerability
is. That's why programmers work in teams to check each other's work. Steve
should have waited until he could have done more testing and get confirmation
from others. To hell with being the first to post.

Right now, I'm using VMplayer to run Windows 2000 inside Suse Linux (with no
internet connection from inside this "sandbox"). Just in case I'm
wrong. Where is that tinfoil hat when I really need it?

[ Reply to This | # ]

Steve Gibson: MS WMF is a Backdoor, Not a Coding Mistake
Authored by: Anonymous on Friday, January 13 2006 @ 01:16 PM EST
To the folks on here posting that this is a design issue rather than an
intensional back door: where's YOUR proof?

You see the burden of proof goes both ways here. If you're going to disguise a
deliberate back door, the FIRST thing you'd do is make sure it looked like an
honest mistake.

The intension here is impossible to gauge without a DOJ investigation. All our
speculating is just that. But remember, the assumption that not fixing this was
a deliberate act is JUST AS VALID as assuming it was an honest mistake.

Incompetence is not a defense, and this particular security hole could
reasonably have been exploited by anyone in the world had they been "in the
know" about it.

Remember, it is extremely easy to erase one's tracks when hacking. It's not
like breaking into a building. Digital tracks are far easier to conceal
compared to physical evidence, like skin cells, fingerprints, dna residue, human
witnesses, etc.

[ Reply to This | # ]

Steve Gibson: gravitating towards Open Source
Authored by: rmalheiro on Friday, January 13 2006 @ 01:21 PM EST
Gibson is not an Open Source advocate, but he says he's gravitating toward it now.
Looks like Open Source is now "big enough" to attract sensationalism "journalists". Steve Gibson has published several far fetched theories and is probably just trolling for page hits.

Anyway, I only touch MS products wearing gloves and with a ten-foot-pole. Or a very large club...

--
Note to self: get a .sig

[ Reply to This | # ]

Steve Gibson: MS WMF is a Backdoor, Not a Coding Mistake
Authored by: Anonymous on Friday, January 13 2006 @ 01:31 PM EST
Folks, check out the OT thread in "The Open Source as
Prior Art Discussion Begins" topic.

There is a post by "rocky" there titled "MS used their own
backdoor intp WinXP". It is related to this discussion.

It is scary.

I personally don't use Windows except at work, where
I really have no choice, so I have little sympathy
for those who do. But the (I'm lost for words
here - gall perhaps?) of M$ here is beyond comprehension
if what happened is true.

Thank God for Linux.



[ Reply to This | # ]

Steve Gibson: MS WMF is a Backdoor, Not a Coding Mistake
Authored by: mexaly on Friday, January 13 2006 @ 02:16 PM EST

These are accusations of intent based on "preliminary" reasoning.

I think if someone says "Preliminary results suggest person X is a
burglar," that's something a journalist would want to confirm before
publishing.

Never attribute to malice that which can be explained by stupidity.

---
My thanks go out to PJ and the legal experts that make Groklaw great.

[ Reply to This | # ]

once again a violation of privacy laws in CANADA
Authored by: Anonymous on Friday, January 13 2006 @ 02:37 PM EST
good on bill gates, if this is ever proved you monopoly dies right then and
there. The laws are pretty strict on such and in my opinion as ianal they could
require you to pay heavy fines or remove the product..
another reason why backdooring is extremely dangerous, and is nothng less than
makng your product less secure.

[ Reply to This | # ]

Did I understand it right?
Authored by: Anonymous on Friday, January 13 2006 @ 02:47 PM EST
Other tech geeks here please check me. I read the transcript of Steve & Leo's podcast but I haven't done any reverse-engineering of my own.
  1. Escape/SETABORTPROC is a legitimate mechanism used by programs which are recording a series of instructions ("records") for a printer driver. If the printing gets aborted for some reason (e.g. cancelled by the user), the printer driver "calls back" to the program's "abort proc" so that the program can do whatever it needs to do when printing doesn't succeed (e.g. warn the user).

  2. All versions of Windows included the Escape/SETABORTPROC mechanism.

  3. WMF files are also a series of record in the same format, but they are saved in a file. In this context it doesn't make any sense to use Escape/SETABORTPROC, but it turns out you still can? (that might be a legitimate oversight?)

  4. HERE'S THE BEEF as reported by Steve Gibson: If you put a specially-crafted, INVALID record into your WMF file (note: not anywhere else like sending it to a printer!) then it will create a new thread and set this thread to execute code straight from the WMF file at the byte immediately following the invalid record. The processing of the WMF file will then fail as it is supposed to because of the invalid record.

There are several highly suspicious things about this:

  • The exploit is only triggered when the invalid record has length=1. This is an impossible length in a valid record because (as I understand it) all records must be of EVEN LENGTH. But it doesn't trigger the exploit for every invalid length, only a single specific value. In other words, someone almost certainly had to write code to *check* for this specific value, which makes it extremely unlikely this exploit is an "accidental side-effect" and much much more likely that it was intentionally coded by someone.

  • It creates a separate thread to run the code. This smacks of something done very deliberately! You don't accidentally create threads. In particular, this means it wasn't just a buffer-overrun or something that causes the execution to transfer to the code in the WMF file. In the compiled code, the pointer to the next byte of the WMF file might be on the stack or it might be in a register. A stack-smashing attack or buffer overrun is a typical way for a hacker to cause an address off the stack or a register to be jumped/called to. But CREATING A SEPARATE THREAD only happens when an API function for that purpose (such as beginthreadex()) is called.

  • From my reading of the transcript, it sounds like versions of Windows older than Windows 2000 probably are NOT affected by the exploit. It sounds like they support Escape/SETABORTPROC on WMF files (which is goofy but perhaps according to spec). However, it sounds like the "backdoor" (the arbitrary code execution after an illegal record with length=1) is NOT present in older versions of Windows.

  • People are saying things like "but WINE is affected too". I seriously doubt that is the case. It is probably just like Win95 or Win98 -- supporting Escape/SETABORTPROC (according to spec) but not vulnerable to the actual length=1 "backdoor".

CONCLUSION: very suspicious. It sure looks like Microsoft, or someone with access to their code some time in the 1997-2000 timeframe, deliberately inserted the capability to execute arbitrary code in a new thread with length=1.

What's strange is that until Windows XP, the WMF files were not registered automatically so unless the registration was added by a Microsoft product or some other piece of malware, Windows 2000 would not be vulnerable.

[ Reply to This | # ]

No technical expertise needed
Authored by: Anonymous on Friday, January 13 2006 @ 02:48 PM EST
PJ, think a bit before you say "I can't evaluate" the claims. In your
words, the issue is whether or not it's true that "WMF is a backdoor, not a
coding mistake."

The problem is that this is a false dichotomy. Everybody KNOWS it's not a
coding mistake. WMF was DESIGNED to allow arbitratry code to execute, Microsoft
SAID SO PUBLICLY in the WMF specifications it published years ago when it
invented the format.

The real debate is whether the problem should be categorized as "bad
design" or as an intentional "backdoor". This is a false
dichotomy too: for one thing, any design that includes a backdoor is a bad
design (IMO).

Also, any security flaw, intentional or not, that allows attackers to gain
control of a computer is, by definition, a "back door." The WMF issue
qualifies, no question. There's no need to be "preliminary" about
that at all. So (I guess I should listen to the podcast at this point, but I'm
at work) if Gibson is claiming to have found (or "preliminarily"
found) anything new or interesting, he must intend to imply (as "back
door" generally does within the cracker/security/wannabe community) that
Microsoft *intended* the WMF format & its handling routines to provide a
backdoor - that they foresaw and intended that it could be used to crack
computers running their OS.

In short: what people may disagree over, even after they've clarified their
terms, is whether
a) As Gibson's claim, at least as you characterize it, seems to imply,
Microsoft chose this design because they wanted to have the ability to spy on
people,
or
b) Microsoft chose this design (and never bothered to modify it) because it was
convenient for various engineering reasons, and they were monumentally,
stunningly, perhaps criminally, almost certainly actionably, blind or
indifferent to the security risks they were creating.

The issue goes to Microsoft's intention, NOT to any technicalities. Pretty much
the only ways imaginable to support a statement about Microsoft's intentions are
to
-find a smoking gun, such as an internal MS memo saying "let's put a
backdoor in, and let's use WMF to do it", or a comment in the code such as
"secret backdoor here - the NSA insisted"
-find a LOT of circumstantial evidence, not only how the code behaves but in
things from which deliberate action by MS executives can be inferred - maybe
there was an earlier version that didn't have the flaw, but this was changed
after a hush-hush meeting of the top brass?

Can Gibson possibly have found such evidence? I doubt it. If he had found a
smoking gun, he'd have published it. A phrase like "preliminary
conclusion" would be meaningless. (It's reprephensible in any case. If
it's so preliminary, why publish now?) As for circumstantial evidence, previous
posters have already piled up quite a bit of it that tends to show that the WMF
format was a crime of depraved indifference, not a crime of malice. The most
obvious pieces of evidence are:
-this "mind-bogglingly stupid" (to quote an earlier poster) design
was publicly documented. That's inconsistent with a secret backdoor, to say the
least.
-so is the fact that different versions of Windows differ in the degree to
which they are vulnerable. If you were writing the code, wouldn't you make sure
your backdoor always works?

In short, a bit of common sense is all you should have needed. The WMF
"flaw" is indeed important and scary, and as I said above MS's actions
were possibly criminal, or at least grossly negligant. But if you or Gibson
meant to imply that this particular piece of code was *intended* by MS to be
used for cracking/spying, that's an accusation that should have been easy to
dismiss.

[ Reply to This | # ]

Avoid all W* acronyms
Authored by: Nick_UK on Friday, January 13 2006 @ 03:26 PM EST
Bliar & Bush: WMD
MS & Gibson et al: WMF

Me and the rest of the world: WTF?

Nick ;-)

[ Reply to This | # ]

I really really tried to read the transcript!
Authored by: ray08 on Friday, January 13 2006 @ 04:03 PM EST
But after 15 minutes of almost nonstop "I mean...you know...like"
(repeat 1000 times!) I had to protect my sanity and stop.

---
Caldera is toast! And Groklaw is the toaster! (with toast level set to BURN)

[ Reply to This | # ]

this is bs :)
Authored by: Anonymous on Friday, January 13 2006 @ 04:31 PM EST
The wmf 'backdoor' existed before ActiveX and Microsoft on the internet.
It is from times when windows was a desktop only thingie and the internet was
only for university people.

Whoever is Steve Gibson, he just wants some quick fame.
I can believe that MS is evil, or that some of their programmers coded or tried
to inject backdoor in the bast, but in this case i believe it is really just
negligence and incompetence.

Remember, even Wine made its stuff compatible, so before mr. Gibson people
believed this 'feature' is a good one.

[ Reply to This | # ]

Its a matter of control
Authored by: philc on Friday, January 13 2006 @ 04:45 PM EST
Microsoft must always be in control. Thats why they explicitly do things that
permit them to, without your permission, do what they want inside your
computer.

Linux, on the other hand, puts you in control. Nothing happens unless you let it
happen.

For example: its never a problem for Microsoft to put code in a macro, file
format, or such. After all they control your system so they can add code from
time to time. Of course IE will execute programs that come on web pages. Web
pages come from Microsoft certified web servers. When MS needs a little code
executed, its in control and just does it. Its OK to verify the software on your
system. Its OK to use DRM to verify you have access to the files. Its all just
part of being in control. Its important for a network single login to go through
Microsoft servers.

This worked OK for a while until others found out how to proxy (act on behalf
of) Microsoft. The world of malware was enabled. Microsoft can not keep others
from using their mechanisms.

It is this fundamental design philosophy that drives Microsoft and the security
problems that plague them.

The Linux approach is to put the user in charge. Code is executed when the user
runs it. In Linux there is no execution of code on web pages. No executing email
attachments. No code in macros. Why would anyone give away control like that?
Linux looks out for you, the user.

Linux's approach makes it very difficult for malware writers since there are no
general mechanisms or philosophies that would permit viruses.

[ Reply to This | # ]

Fails Hanlon's Razor
Authored by: Anonymous on Friday, January 13 2006 @ 05:34 PM EST
Never attribute to malice that which can be adequately explained by stupidity.

[ Reply to This | # ]

PJ -- have you stepped out of bounds?
Authored by: Anonymous on Friday, January 13 2006 @ 06:02 PM EST

This may be a valid claim, or not. The fact is that this is only one persons speculation, without much backup.

What is it called in journalism when unsoported statements are published? (e.g., Boston Globe v Quinn).

What is it called in law when unsupported statements are made by a deponemnt?

Dumping the credibility decison about a story onto the reader is hardly a professional approach.

I've come to regard Groklaw as balanced and careful, especially where there is nuance and complexity in subject matters. It takes care not to stray into gossip. Other material on Sony, SCO etc is always presented when there are clearer volumes of evidence to support a point. I think there may be some straying going on here that should be curbed pending clearer evidence. MS may be a brawling bully, but that conclusion is suported by huge volumes of evidence. Please don't hurt the quality of this site by gossip.

Regards Paul Thomas

[ Reply to This | # ]

Hmmmmmmmm....
Authored by: Anonymous on Friday, January 13 2006 @ 06:05 PM EST
With articles like Victor Yodaiken's decrying the purported effects of DRM on
nuclear power plants, and the present one citing Steve Gibson, I think that
Groklaw is losing it's objectivity and quickly descending into spreading FUD.

[ Reply to This | # ]

Mystery Solved, Just Another Microserf Who Can't Count
Authored by: Anonymous on Friday, January 13 2006 @ 08:40 PM EST
From the podcast transcript:

So what I found was that, when I deliberately lied about the size of this record and set the size to one and no other value, and I gave this particular byte sequence that makes no sense for a metafile, then Windows created a thread and jumped into my code, began executing my code. Okay, Leo? This was not a mistake. This is not buggy code. This was put into Windows by someone.

No mystery. This is just the same old indexing problem that bad programmers have. In this case, the index is off by one in the positive direction. Thus one byte becomes the error trigger when it shoild have been zero. This is how so many buffer overruns have occurred in windows. Does the array use zero or one index as a starting value? I might agree with Steve if this was not one byte difference but it is so obviously just another stupid serf mistake and not a feature!

This is why open source will triumph. Too many eyes on the code to allow rookie mistakes like the ones that riddle the proprietary mess that is windows.

[ Reply to This | # ]

What percentage of XP users run patches?
Authored by: Anonymous on Friday, January 13 2006 @ 09:09 PM EST
Microsoft got caught putting a backdoor in its IIS server software. As a fix
they urged their customers to delete dvwssr.dll, then went on to make more
billions and billions.

I'm not the least bit astonished that on close inspection Steve Gibson thinks
this one looks more like design than accident.

One thing that bothers me a lot about this WMF exploit is, I wonder how many
people actually keep their XP patched?

Many of the computer owners I know don't even really understand patching and
don't do it.

Anyway to know the likely percentage of patches that get installed?

[ Reply to This | # ]

Steve Gibson
Authored by: The Mad Hatter r on Friday, January 13 2006 @ 10:39 PM EST


I saw a lot of Pro and Anti Steve Gibson posts, and I felt I had to drop in my
two cents, after reading the transcript.

1) Steve says that this is a preliminary report - he still has further things to
check.

2) However the exploit does work as advertised.

3) That it could be a problem.

Now Steve Gibson is a genius. I've seen examples of his work several times, and
the man is a brilliant programer. The real question is how right is he in this
case?

Right now we don't know, and he himself admits that he doesn't know. He did draw
attention to a possible problem, and in such a way as to draw a lot of attention
to it. Now that he's made the issue public other programmers can start to play
with it, and it should be interesting seeing their reports.

Remember - he said "So, again, it may be that a week from now I come back
with my tail between my legs and say, Leo, you know, I told what I believed to
be the case at the time."

Let's give him that week.



---
Wayne

http://urbanterrorist.blogspot.com/

[ Reply to This | # ]

Steve Gibson: MS WMF is a Backdoor, Not a Coding Mistake
Authored by: Anonymous on Friday, January 13 2006 @ 10:58 PM EST

Explanation is here:

http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx

[ Reply to This | # ]

Lot's of folks here
Authored by: Anonymous on Saturday, January 14 2006 @ 12:44 AM EST
vehemently denouncing things Gibson never said.

Quite a few enthusiastic assertions turn out to be NOT true.

Some of PJ's oldest and bestest fans seem to think she has suddenly inexplicably
turned against M$.

The stage-coach has just pulled into town carrying a hot-shot lawyer and two
eye-witnesses.

[ Reply to This | # ]

this makes me wonder about something a MS coder friend said...
Authored by: Anonymous on Saturday, January 14 2006 @ 07:37 AM EST
I was talking with two friends several years back, one was a coder for MS and
and the other was a networking /security specialist, about MS's DRM. I was
talking about how soon you wouldn't be able to keep MS out of your computer, my
net/sec friend responded that he would just firewall it. My MS friend's response
was they would bypass it. We (i) half thought he was being flipant as he didn't
provide any serious answer. I wish I could remember his exact responses now, but
it wasn't something *he* was working on.

It rang through my head when I read the following...

"Leo: So you're saying Microsoft, or people at Microsoft maybe unbeknownst
to Microsoft, intentionally put code in Microsoft Windows that will allow
anybody who knew about it access any Windows machine, to get into any Windows
machine and run any arbitrary code on it.

Steve: Well, it's not like a trojan, where they would be able to contact a
remote machine. But, for example, if Microsoft was worried that for some reason
in the future they might have cause to get visitors to their website to execute
code, even if ActiveX is turned off, even if security is up full, *even if
firewalls are on,* basically if Microsoft wanted a short circuit, a means to get
code run in a Windows machine by visiting their website, they have had that
ability, and this code gave it to them.

Leo: And there'd be nothing anybody could do about it or - and in most cases
detect it. So it sounds like - and I really want to be careful here because this
is a very serious accusation. It sounds like this was done on purpose by
Microsoft or somebody at Microsoft. It sounds like it was accidentally
discovered. Microsoft reacted and has pulled it out now."

I wonder if Mark over at sysinternals will have anything to add to this?

[ Reply to This | # ]

Steve Gibson: MS WMF is a Backdoor, Not a Coding Mistake
Authored by: Anonymous on Saturday, January 14 2006 @ 09:21 AM EST
Well If Steve Gibson is just making fears statements does that mean Microsoft
would never do sucha thing???

Everyone criticizing Steve is a Security expert or just idiots that are
pro-Microsoft.

Who ever has the proof hes wrong Prove it in detail...
SO That his tests are false Im no sec. expert but am anti M$ and wouldnt put
past Gates's company to do what ever it takes to generate something of
controversy to make have people scared as to hurry and spend the bucks to buy
vista its all about the money MS doesnt care about stable and secure OS as long
as Billions can be made off the people

[ Reply to This | # ]

Steve Gibson: Caveat Emptor
Authored by: Anonymous on Saturday, January 14 2006 @ 09:21 AM EST
Mr. Gibson is a talented programmer but an even more talented self-promoter. The
guy has sold the same useless piece of software for over a decade now.

Be careful, guys.

[ Reply to This | # ]

Steve Gibson: MS WMF is a Backdoor, Not a Coding Mistake
Authored by: Anonymous on Saturday, January 14 2006 @ 07:53 PM EST
the site is now dead! A Microsoft contract? Poor Steve, I hope he has home
security!!

[ Reply to This | # ]

Steve Gibson: MS WMF is a Backdoor, Not a Coding Mistake
Authored by: Anonymous on Saturday, January 14 2006 @ 10:59 PM EST
If it was one of the government sponsored backdoors (and in MHO I think there
are some) it would have had a password. My hunch is either more bad code or a
coder slipped it by his superiors.

Similar code has a much better chance of being spotted in the Open source world.

[ Reply to This | # ]

A suggestion
Authored by: Hop on Sunday, January 15 2006 @ 01:24 AM EST
Before you make comments on this, please listen to the show or read the
transcript. Then you'll know exactly why he claims it's a backdoor.

[ Reply to This | # ]

If this IS an intentional back door, then what?
Authored by: OmniGeek on Sunday, January 15 2006 @ 10:05 AM EST
Let's assume, arguendo, that this IS an intentional back door. (The fact that the Microsoft GDI, itself, and NOT some exploit code, spawns a new thread to execute code contained in a malformed graphics file, makes it nearly certain it was intentional on SOMEONE's part. Forensic analysis of the code before and after the patch should prove VERY illuminating -- and no, I'm NOT fingering the Illuminati ;-))

Then, it is either 1) some cowboy coder's illicit effort, or 2) an officially sanctioned back door for corporate use by Microsoft. Let's look at the implications of each path.

1) Cowboy coder -- The backdoor will be unceremoniously ripped out ASAP, followed by an internal audit of everything else that coder worked on (which may cause some delay , as they'll want to clean out ALL the traps). Corporate CYA will keep Microsoft from admitting that it was an intentional back door, and they will resist outside audits of the offending code. New back doors by cowboy coders are unlikely; officially-admitted DRM hooks and Product Activation spyware are unaffected.

2) Officialy sanctioned -- The backdoor will be removed, only to be replaced by something better-hidden, using obfuscated GDI code to keep it from discovery, and a better-secured "malformation" to open the door to authorized parties only. There will be some delay in providing the "patch" while the better-hidden backdoor is designed. Corporate policy will preclude admission that it was intentional, and they will resist outside audits of the offending code. There will always be such official back doors, in addition to any officially-admitted DRM hooks and Product Activation spyware.

So, in EITHER case, under these (eminently reasonable) assumptions, a) we'll never find out why this happened, absent disclosure during a court or government inquiry; b) Microsoft's behavior will seem shifty and suspicious, whether for CYA or to conceal intentional backdoors, and c) we'll never, ever be able to really trust that a Microsoft OS isn't serving a master other than ourselves. The presence or absence of an intentional backdoor like this just adds or subtracts one path among the officially-acknowledged ways Microsoft intrudes on our computers.

Oddly enough, this isn't where I thought this analysis was going; I had expected to conclude that Microsoft's response indicated corporate intent, and instead it's a wash. We can't trust our privacy to Windows in either case...

---
My strength is as the strength of ten men, for I am wired to the eyeballs on espresso.

[ Reply to This | # ]

re: MS explanation: I call bullshit
Authored by: Anonymous on Sunday, January 15 2006 @ 07:11 PM EST
Sorry about the language, but that explanation has a hole big enough in it to drive a truck through. Note the bolded text:

Now, there’s been some speculation that you can only trigger this by using an incorrect size in your metafile record and that this trigger was somehow intentional. That speculation is wrong on both counts. The vulnerability can be triggered with correct or incorrect size values. If you are seeing that you can only trigger it with an incorrect value, it's probably because your SetAbortProc record is the last record in the metafile. The way this functionality works is by registering the callback to be called after the next metafile record is played. If the SetAbortProc record is the last record in the metafile, it will be more difficult to trigger the vulnerability.

Well, now, if the SetAbortProc is supposed to be called after the next metafile record is played, why is it called at all when there is no next record with the fake current record length is set to an invalid value of one?

The proc should never be called at all in that case.

[ Reply to This | # ]

Backdoor into Windows - so what?
Authored by: Anonymous on Monday, January 16 2006 @ 01:20 AM EST
Windows belongs to Microsoft. You may use their software if you pay them a
license fee. It is still their property. I assume they never promised what
functions are not and will not be present in their property. But they do claim
the right to change them without your knowledge.

[ Reply to This | # ]

Steve Gibson: MS WMF is a Backdoor, Not a Coding Mistake - Updated
Authored by: Anonymous on Monday, January 16 2006 @ 05:32 AM EST

Those of you interested in Steve Gibson's comments from his onging analysis may want to take a peek at the discussion in one the grc discussion groups:

http://www.grc.com/x/news.exe?cmd=article&group=grc.ne ws.feedback&item=60621&utag=
Subject: Re: Confused on the WMF issue, and curious of tools used.
Date: Sun, 15 Jan 2006 15:12:07 -0800
From: Steve Gibson

http://www.grc.com/x/news.exe?cmd=article&group=grc.ne ws.feedback&item=60629&utag=
Subject: Re: KnockKnock updated, and I'm off to get answers ...
Date: Sun, 15 Jan 2006 16:56:59 -0800
From: Steve Gibson

http://www.grc.com/x/news.exe?cmd=article&group=grc.ne ws.feedback&item=60632&utag=
Subject: I've found the code in Windows 2000 ...
Date: Sun, 15 Jan 2006 17:24:21 -0800
From: Steve Gibson

http://www.grc.com/x/news.exe?cmd=article&group=grc.ne ws.feedback&item=60658&utag=
Subject: Re: I've found the code in Windows 2000 ...
Date: Sun, 15 Jan 2006 19:26:55 -0800
From: Steve Gibson

[ Reply to This | # ]

  • Thanks - Authored by: Anonymous on Monday, January 16 2006 @ 04:58 PM EST
Steve Gibson: MS WMF is a Backdoor, Not a Coding Mistake - Updated
Authored by: Anonymous on Tuesday, January 17 2006 @ 04:54 PM EST
I am amazed at how many supposed rebuttals to Steve Gibson's claims are simply
attempts at character assassination. This tactic is underhanded at best and
contributes nothing to the debate over whether or not this flaw is accidental or
an intentional backdoor.

It really boils down to this, even according to Steve Gibson:

1. There is a security vulnerability in WMF
2. The question is, was this an accident or an intentional back door?

Steve Gibson suggests there is strong evidence that it is intentional, but he
does not say it MUST be intentional.

It is unlikely that we'll ever find out with any certainty whether or not this
flaw was actually an intentional back door. Personally, I don't care if it's
accidental or intentional. It's bad enough that Microsoft simply ported GDI
code. It should be obvious to any decent programmer that you are asking for
trouble if you give functions like these direct access to the GDI.

The Microsoft Blog post refutes Steve's claim that it can only be triggered by
passing the "wrong" data value, which Steve uses as evidence that the
vulnerability was intentional. The rebuttal in the Microsoft blog does not,
however, accomplish its intended purpose. The fact that you can exploit this
flaw with a correct value does not refute the fact that it may be an intentional
back door. The value that you pass turns out to be an offset, which if used
correctly, will trigger the SetAbortProc in the WMF.

The fact is that there is a simple way to know how to use a correct or incorrect
size in order to make sure your code is triggered. So the question as to
whether or not this was an intentional back door remains open.

As I said, I doubt if it will ever be closed, but so far the Microsoft rebuttal
did nothing to close it.

-NPetreley

[ Reply to This | # ]

Steve Gibson explains; Not backdoor, but MICE!
Authored by: NilsR on Thursday, January 19 2006 @ 08:22 PM EST

Gibson replies in his latest SecurityNow podcast and expands in detail on his website.

There's also a free (as in money) utility that can be used to test Wine as well as Windows.

---
NilsR

[ Reply to This | # ]

Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )