|
Steve Gibson: MS WMF is a Backdoor, Not a Coding Mistake - Updated 2Xs |
|
Friday, January 13 2006 @ 11:18 AM EST
|
Those of you using Microsoft Windows 2000 or XP will want to follow this story: Steve Gibson
has examined WMF and he now believes it was deliberately coded. It looks to him that Microsoft put a backdoor into Windows, which can be triggered even if Active X is turned off and security is at high. It could be a renegade coder, he says, but it's not, in his view, bad design or a mistake. I can't evaluate what he says, but if it's true it is so serious to your privacy and security, I would feel irresponsible not to point you to his podcast, so you can evaluate for yourself. So the podcast is here. Also, there are a number of Sony lawsuits going on, and some are considering settling. They also might like to know about this issue. He is still testing, so this is a preliminary finding. It's possible that in a week he'll have more answers or a different explanation. Microsoft has yet to speak. Gibson is not an Open Source advocate, but he says he's gravitating toward it now. Warning: you have to get through some graceless conversation about whether to use hacker or cracker, but that's just the first couple of minutes. UPDATE: An explanation from the Microsoft Security Response Center Blog.
2d Update: Mark Russinovich, on why he believes it was poor design, not a backdoor. 3d UPDATE: Gibson acknowledges one mistake, but stands by his view that this was coded intentionally.
After acknowledging his mistake because the test metafile only had a single record, "I talked about ... the fact that the metafile record had to, apparently, in my case had to be set to an incorrect length in order to make this happen", Gibson is asked if that destroys his premise that this was coded deliberately: LEO: Does that destroy your argument, or does it impact the argument?
STEVE: Well, I don't think it does. I mean, certainly it takes some of the edge off of it. But when I did finally look at Windows - I mean, and believe me, Leo, I was holding my breath that, you know, as I said, I might end up retracting everything and be completely wrong about this - when I looked at Windows I saw, I mean, as clear an example of intention as I have ever seen. I mean, this was just code designed to do this, code designed to jump into the metafile image and run the code contained in the image.
LEO: Now, Stephen Toulouse, who blogged about this for Microsoft, said, well, sure it's intentional, but it's intentional with a benign point of view. It was to allow GDI functionality; right?
STEVE: No. No one ever believed, I mean, no documentation, no common practice, no use ever had metafile images running code. I mean nowhere. I've put together and I've further fleshed out the page that I began last week. It was just sort of a placeholder page. It's at GRC.com/wmf/wmf.htm - WMF, of course, for Windows MetaFile. I've laid the whole thing out. I've got a screenshot and link to Microsoft's original documentation from Windows 3.0 and 3.1 explaining what this whole ABORTPROC thing is, and that it is for executing code in the user's application. I mean, it makes - it's crazy to think that even Microsoft at any time in the past would have thought that it made sense to mix code with drawing commands.
LEO: So the only reason you'd put this in is why?
STEVE: The only reason is to run code in an image, which has never been sanctioned, never documented, and, I mean, makes no practical sense.
LEO: There's no other legitimate use of that. It's so that you could put code in an image.
STEVE: Well, exactly. And, even more so, when a program runs, the Windows Loader does all kinds of fancy things, fixing up and filling out that IAT that we talked about a long time ago with RootkitRevealer, the Import Address Table, which essentially connects the application into the Windows API. If you're code running in an image, you have no advantage of Windows Loader, which basically makes it feasible for you to talk to the rest of Windows. Ilfak, in his vulnerability tester, because of this had to go through all kinds of very tricky hacker hoops in order to explicitly get access to Windows in order to just pop up his little dialogue that said you are or you are not vulnerable. It was a lot of work.
So, I mean, it just - it doesn't make sense that Microsoft could have ever published the idea of doing this; yet not only did I look at this, at the way this is implemented, but our friend Mark Russinovich from Sysinternals, he looked at it and sent me email, which I have a link to also on our WMF page. He analyzed this and concluded, just as I had, that this was intentional. He was not comfortable saying it was a backdoor. And, I mean, I respect his opinion. You know, "backdoor," as I said, is a very loaded word that carries with it all kinds of, you know, implicit malice, which I never meant to imply. But Mark, looking at the same code I have, and actually several other people, too, recognized that, for whatever reason, this is what the coder intended.
|
|
Authored by: Weeble on Friday, January 13 2006 @ 11:42 AM EST |
In case there are any.
---
You Never Know What You're Going to Learn--or Learn About--on Groklaw!
(NOTE: Click the "Weeble" link for Copying Permissions and Contact Info.)[ Reply to This | # ]
|
|
Authored by: overshoot on Friday, January 13 2006 @ 11:43 AM EST |
Please be courteous and make links clickable HTML. Instructions at bottom of
comment pane.[ Reply to This | # ]
|
- Outlook TNEF flaw could be much worse than WMF flaw - Authored by: Anonymous on Friday, January 13 2006 @ 12:29 PM EST
- Windows support program bent to fit - Authored by: Anonymous on Friday, January 13 2006 @ 02:03 PM EST
- "There Is No Open Source Community" - Authored by: cmc on Friday, January 13 2006 @ 02:11 PM EST
- Gibson - Authored by: Anonymous on Friday, January 13 2006 @ 03:18 PM EST
- Just out of interest - Stephen Kurkjian and the Boston Globe. - Authored by: Anonymous on Friday, January 13 2006 @ 06:27 PM EST
- OT here, please - Authored by: Anonymous on Friday, January 13 2006 @ 06:56 PM EST
- Slashdot article - and a specific post to determine intent - Authored by: SpaceLifeForm on Friday, January 13 2006 @ 08:30 PM EST
- U.K. judge frowns on software patents - Authored by: Anonymous on Friday, January 13 2006 @ 08:33 PM EST
- "Opera launches web browser for consumer gadgets" - Authored by: Anonymous on Friday, January 13 2006 @ 08:34 PM EST
- Do I smell wookies and trolls? - Authored by: Anonymous on Friday, January 13 2006 @ 09:02 PM EST
- This is fun-- please more team 99 posts - Authored by: Anonymous on Friday, January 13 2006 @ 09:23 PM EST
- RIM, Google sign deal - Authored by: SpaceLifeForm on Friday, January 13 2006 @ 10:38 PM EST
- OT: Action in Red Hat?? - Authored by: Steve Martin on Friday, January 13 2006 @ 10:41 PM EST
|
Authored by: Anonymous on Friday, January 13 2006 @ 11:46 AM EST |
Is there a link? [ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, January 13 2006 @ 11:52 AM EST |
WMF dates back to the times when MS were thinking that putting the capability to
execute code in every file format was a great idea. It's therefore likely to be
part of that misguided (to say the least - mindbooglingly stupid would be
another phrase) policy rather than a malevolent backdoor...[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, January 13 2006 @ 12:11 PM EST |
I avoid the use of the term "Hacker" or "Cracker" when
referring to people that break into other people's computer systems.
I prefer to use the term "criminal".[ Reply to This | # ]
|
- Steve Gibson: MS WMF is a Backdoor, Not a Coding Mistake - Authored by: Anonymous on Friday, January 13 2006 @ 01:19 PM EST
- Hacker vs Cracker - Intruder has many of the right connotations. - Authored by: ankylosaurus on Friday, January 13 2006 @ 02:21 PM EST
- Steve Gibson: MS WMF is a Backdoor, Not a Coding Mistake - Authored by: Anonymous on Friday, January 13 2006 @ 06:35 PM EST
- Back in the day... - Authored by: DaveAtFraud on Friday, January 13 2006 @ 10:10 PM EST
- Nice thing about slang terms... - Authored by: Anonymous on Friday, January 13 2006 @ 11:29 PM EST
- ID ten .... - Authored by: Anonymous on Saturday, January 14 2006 @ 05:29 PM EST
- Steve Gibson: MS WMF is a Backdoor, Not a Coding Mistake - Authored by: Anonymous on Wednesday, January 18 2006 @ 05:09 AM EST
|
Authored by: Anonymous on Friday, January 13 2006 @ 12:11 PM EST |
Sorry, but Steve Gibson is well-known for making
outrageous and patently
false statements and generally not
having a clue what he is talking about. He
is a
self-proclaimed security "expert" who gets by with
snake-oil and lots
of muddling. Please don't take anything
he says seriously. Read the Wikipedia
article on him
and the sources it links to if you don't
believe me.
Not that I'd put
it past M$ to install such a backdoor,
but coming from this source I'd say
it's more likely they
didn't. [ Reply to This | # ]
|
- Umm, Steve Gibson is a crank - Authored by: Anonymous on Friday, January 13 2006 @ 12:23 PM EST
- Umm, Steve Gibson is a crank - Authored by: belzecue on Friday, January 13 2006 @ 12:23 PM EST
- Well said! - Authored by: tiger99 on Friday, January 13 2006 @ 12:46 PM EST
- Umm, Steve Gibson is a crank - Authored by: Anonymous on Friday, January 13 2006 @ 02:17 PM EST
- Umm, Steve Gibson is a crank - Authored by: Anonymous on Friday, January 13 2006 @ 02:56 PM EST
- Umm, Steve Gibson is a crank - Authored by: El_Heffe on Friday, January 13 2006 @ 07:55 PM EST
- Hmm - Authored by: Arker on Saturday, January 14 2006 @ 01:26 AM EST
- Umm, Steve Gibson is a crank - Authored by: haphazard on Friday, January 13 2006 @ 08:40 PM EST
- Umm, Steve Gibson is a crank - Authored by: camc on Friday, January 13 2006 @ 12:31 PM EST
- Umm, Steve Gibson is a crank - Authored by: Anonymous on Friday, January 13 2006 @ 12:32 PM EST
- Umm, Steve Gibson is a crank - Authored by: PJ on Friday, January 13 2006 @ 12:40 PM EST
- Umm, Steve Gibson is a crank - Authored by: Anonymous on Friday, January 13 2006 @ 12:54 PM EST
- Umm, Steve Gibson is a crank - Authored by: Anonymous on Friday, January 13 2006 @ 01:59 PM EST
- You don't know much do you. - Authored by: Anonymous on Friday, January 13 2006 @ 02:08 PM EST
- not relevant indeed - Authored by: DrHow on Friday, January 13 2006 @ 07:22 PM EST
- not relevant indeed - Authored by: Anonymous on Friday, January 13 2006 @ 11:50 PM EST
- old news - Authored by: DrHow on Sunday, January 15 2006 @ 04:48 PM EST
- old news - Authored by: Anonymous on Monday, January 16 2006 @ 11:58 AM EST
- old news - Authored by: Anonymous on Tuesday, January 17 2006 @ 01:36 AM EST
- Umm, Steve Gibson is a crank - Authored by: Anonymous on Friday, January 13 2006 @ 11:42 PM EST
- Your opinion of him is utterly irrelevant to his claim - Authored by: Anonymous on Friday, January 13 2006 @ 12:51 PM EST
- Wrong - Authored by: Anonymous on Friday, January 13 2006 @ 05:42 PM EST
- I'd Trust Steve Gibson over M$--And About Older Win Versions... - Authored by: Weeble on Friday, January 13 2006 @ 12:56 PM EST
- Umm, Steve Gibson is a crank - Authored by: Anonymous on Friday, January 13 2006 @ 01:11 PM EST
- Umm, Steve Gibson was right before - Authored by: NetArch on Friday, January 13 2006 @ 01:30 PM EST
- Phrase of the day - Authored by: Anonymous on Friday, January 13 2006 @ 02:01 PM EST
- Old Steve vs. New Steve - Authored by: Anonymous on Friday, January 13 2006 @ 03:25 PM EST
- Seconded - Authored by: Anonymous on Friday, January 13 2006 @ 06:11 PM EST
- Wikipedia says, This page was last modified 19:50, 13 January 2006. (nt) - Authored by: Anonymous on Friday, January 13 2006 @ 11:33 PM EST
- It's the code that's important, not Gibson - Authored by: turing_test on Sunday, January 15 2006 @ 01:03 PM EST
- Proprietary software is unethical and unwise. - Authored by: jbn on Tuesday, January 17 2006 @ 05:05 AM EST
|
Authored by: Anonymous on Friday, January 13 2006 @ 12:17 PM EST |
Gibson may well be right about this, but he does have a habit of
oversensationalising things. Is there any independent confirmation?[ Reply to This | # ]
|
- Second source? - Authored by: Anonymous on Saturday, January 21 2006 @ 09:01 AM EST
|
Authored by: Anonymous on Friday, January 13 2006 @ 12:23 PM EST |
One fact that this guy ignores: Wine also has the WMF vulnerability. Wine has
no MS code in it. They just followed the specs.
Just bad design, not a deliberate backdoor. [ Reply to This | # ]
|
|
Authored by: archanoid on Friday, January 13 2006 @ 12:29 PM EST |
PJ, I would be wary of taking much of what Steve Gibson says and running with
it. He is widely known by many well respected folks (Fyodor, whom I respect,
for instance) as being something along the lines of Dan Lyons, Maureen O'Gara,
et. al.
Here is
a discussion from the last time Steve Gibson reared up where he is referred to
as "a media slut" and "a charlatan" (not that name calling debunks his work, it
is just an idea of how he is widely viewed).
I have personally read and
evaluated his rants about XP raw sockets and (as is now evidenced by the fact
that his dire predictions never came to fruition) found him to be wholly
unbelievable.
WMF may or may not be a backdoor. But "never attribute
to malice what can be adequately explained by stupidity." I think that's an apt
rule here and Mr. Gibson is likely trolling for hits.[ Reply to This | # ]
|
|
Authored by: cybervegan on Friday, January 13 2006 @ 12:40 PM EST |
WMF is not really a *format* as such.
It stands for Windows Metafile Format, and just like so many of MS's
"formats" it's just a memory dump - this time it's effectively a dump
of the windows GDI (Graphics Device Interface) procedures and parameters
required to draw the image on a device context (i.e. the screen or a printer).
WMF has been problematic since early versions of windows, but has fortunately
fallen into obscurity until recently.
regards,
-cybervegan
---
Software source code is a bit like underwear - you only want to show it off in
public if it's clean and tidy. Refusal could be due to embarrassment or shame...[ Reply to This | # ]
|
- Wrong! - Authored by: wjaguar on Friday, January 13 2006 @ 02:04 PM EST
|
Authored by: Anonymous on Friday, January 13 2006 @ 12:41 PM EST |
I'm too lazy to make an account. Contact me (Nicholas Weaver) at
nweaver@gmail.com
This isn't a deliberate backdoor, it is an old and DOCUMENT desgn flaw dating
back to the Win3.1 days. Its a way for a graphics document (WMF) to efficiently
render to hardware and have a mechanism to escape to do something to fix things
IF something happens.
Its depricated, DOCUMENTED (do you really document your Super L337 BackDoor?),
and legacy.
The lesson in WMF is not that its a backdoor, but the danger of backwards
compatability. Something which really actually made sense in the days of Win3.1
and DOS might (and often is) be totally out of place in the days of WinXP.
Microsoft's problem, unlike Apple, is that it can't or won't throw out the
old.
[ Reply to This | # ]
|
- I call BS - Authored by: Carlo Graziani on Friday, January 13 2006 @ 12:59 PM EST
- I call BS - Authored by: Anonymous on Friday, January 13 2006 @ 01:01 PM EST
- I call BS - Authored by: Anonymous on Friday, January 13 2006 @ 02:35 PM EST
- I call BS - Authored by: Anonymous on Friday, January 13 2006 @ 03:09 PM EST
- I call BS - Authored by: Anonymous on Tuesday, January 17 2006 @ 12:02 PM EST
- I call BS - Authored by: Anonymous on Friday, January 13 2006 @ 01:51 PM EST
- I think you are also to lazy to think soundly - Authored by: Anonymous on Friday, January 13 2006 @ 03:28 PM EST
|
Authored by: gbl on Friday, January 13 2006 @ 12:44 PM EST |
The real problem is not executable code within a data file - it's the way
Windows agressively seeks out executable code in files and then executes
it.
Remember a couple of years ago when it was discovered that Javascript in
the comment field of a GIF or PNG file was run within Internet
Explorer.
Windows is open, it's just the bad kind of open
:-)
--- If you love some code, set it free. [ Reply to This | # ]
|
|
Authored by: edal on Friday, January 13 2006 @ 12:52 PM EST |
Is this one of the NSA backdoors that everyone was talking about a while ago?
Ed Almos
Budapest[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, January 13 2006 @ 12:53 PM EST |
Hi<P>
Steve Gibson has posted transcripts here:<P>
<A href="http://www.grc.com/SecurityNow.htm#22">Several
formats</A><P>
I second the notion that he's a sensationalist. His Shields Up! testing is very
useful, though :)
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, January 13 2006 @ 12:58 PM EST |
Hi
Steve Gibson has posted transcripts here in several
formats.
I second
the notion that he's a sensationalist, and would like independent assessments of
this material. His Shields Up! testing is very
useful, though :) [ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, January 13 2006 @ 01:07 PM EST |
I agree with Steve. I felt this from the very first time I heard about the
exploit. My reasoning:
* ANY REASONABLE CODE REVIEW of such an important file format would have found
this problem.
* This file format has been around for 15 years like this. That's an ETERNITY
in computing. How could it not have been known to at least Microsoft? Are they
that ignorant of their own codebase? I doubt it.
* The attack vector is perfect for exploiters. No overflows needed, easily
fools most apps by disguising as other file types (because Microsoft is
deliberately ignorant of MIME types in some important apps and circumstances),
and it even hooks into GDI!!!
In my opinion, the real scandal here is not the worms from script kiddies that
surfaced after the exploit was made public. The scandal is that EVERY
INSTITUTION using a Windows computer was likely vulnerable to being spyed on by
anyone who was "in the know" on this exploit. Think of all the banks,
government agencies, hell even WARSHIPS, that use Windows in some flavor, and
you can see how this is an absolutely detestable back door. How much crime or
spying (or criminal spying) has occured due to Microsoft's negligence? How can
an EULA protect Microsoft from such an obvious and critical defect?
This is the sort of thing we should be having congressional hearings on!!![ Reply to This | # ]
|
|
Authored by: Prototrm on Friday, January 13 2006 @ 01:11 PM EST |
First, IANAL, but IAAP (I *am* a programmer). This does look suspicious at first
glance, but I think Steve Gibson is wrong. Let me explain.
The graphics format consist of multiple records, the first part of which tells
Windows how long the record is (so it can find the next one). This length value
must be greater than 6, or the file cannot be read (that's the length of stuff
that *has* to be in every record, by definition).
The format also has, as part of its design, a "call back" that Windows
would use if the user is printing the graphic and cancells the job before it
finishes. Steve says this callback address is useless in a WMF file.
If the length value is "1", and a callback address exists in the WMF
file, Steve says that Windows will automatically start executing the contents of
the record.
To me, this does look like it could be a programming error, with a combination
of internal factors causing the first non-header location in the WMF record to
be executed instead of a routine specific to the WMF file itself. I think it's
significant that Steve reports that the code in the record is executed, rather
than following the "call back" pointer. Another problem for me is that
Steve reports it only happens when the length value is "1", not
"0" (he doesn't say if it happens for values of "2" through
"5", which is what I'd like to know). I wouldn't expect it to happen
on a value of "0", but "1" or "2", yes. If it only
happens on "1", that would raise my suspicions a bit. Why would
"1" be special?
My conclusion is that this is indeed a bug in the system, not a deliberate back
door, but additional testing is needed to see just what the true vulnerability
is. That's why programmers work in teams to check each other's work. Steve
should have waited until he could have done more testing and get confirmation
from others. To hell with being the first to post.
Right now, I'm using VMplayer to run Windows 2000 inside Suse Linux (with no
internet connection from inside this "sandbox"). Just in case I'm
wrong. Where is that tinfoil hat when I really need it?[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, January 13 2006 @ 01:16 PM EST |
To the folks on here posting that this is a design issue rather than an
intensional back door: where's YOUR proof?
You see the burden of proof goes both ways here. If you're going to disguise a
deliberate back door, the FIRST thing you'd do is make sure it looked like an
honest mistake.
The intension here is impossible to gauge without a DOJ investigation. All our
speculating is just that. But remember, the assumption that not fixing this was
a deliberate act is JUST AS VALID as assuming it was an honest mistake.
Incompetence is not a defense, and this particular security hole could
reasonably have been exploited by anyone in the world had they been "in the
know" about it.
Remember, it is extremely easy to erase one's tracks when hacking. It's not
like breaking into a building. Digital tracks are far easier to conceal
compared to physical evidence, like skin cells, fingerprints, dna residue, human
witnesses, etc.
[ Reply to This | # ]
|
|
Authored by: rmalheiro on Friday, January 13 2006 @ 01:21 PM EST |
Gibson is not an Open Source advocate, but
he says he's
gravitating toward it now.
Looks like Open
Source is now "big enough" to attract
sensationalism "journalists". Steve
Gibson has published
several far fetched theories and is probably just
trolling
for page hits.
Anyway, I only touch MS products wearing
gloves and with a
ten-foot-pole. Or a very large club...
-- Note
to self: get a .sig [ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, January 13 2006 @ 01:31 PM EST |
Folks, check out the OT thread in "The Open Source as
Prior Art Discussion Begins" topic.
There is a post by "rocky" there titled "MS used their own
backdoor intp WinXP". It is related to this discussion.
It is scary.
I personally don't use Windows except at work, where
I really have no choice, so I have little sympathy
for those who do. But the (I'm lost for words
here - gall perhaps?) of M$ here is beyond comprehension
if what happened is true.
Thank God for Linux.
[ Reply to This | # ]
|
|
Authored by: mexaly on Friday, January 13 2006 @ 02:16 PM EST |
These are accusations of intent based on "preliminary" reasoning.
I think if someone says "Preliminary results suggest person X is a
burglar," that's something a journalist would want to confirm before
publishing.
Never attribute to malice that which can be explained by stupidity.
---
My thanks go out to PJ and the legal experts that make Groklaw great.[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, January 13 2006 @ 02:37 PM EST |
good on bill gates, if this is ever proved you monopoly dies right then and
there. The laws are pretty strict on such and in my opinion as ianal they could
require you to pay heavy fines or remove the product..
another reason why backdooring is extremely dangerous, and is nothng less than
makng your product less secure.[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, January 13 2006 @ 02:47 PM EST |
Other tech geeks here please check me. I read the transcript of Steve & Leo's
podcast but I haven't done any reverse-engineering of my
own.
- Escape/SETABORTPROC is a legitimate mechanism used by programs
which are recording a series of instructions ("records") for a printer driver.
If the printing gets aborted for some reason (e.g. cancelled by the user), the
printer driver "calls back" to the program's "abort proc" so that the program
can do whatever it needs to do when printing doesn't succeed (e.g. warn the
user).
- All versions of Windows included the Escape/SETABORTPROC
mechanism.
- WMF files are also a series of record in the same format, but
they are saved in a file. In this context it doesn't make any sense to use
Escape/SETABORTPROC, but it turns out you still can? (that might be a
legitimate oversight?)
- HERE'S THE BEEF as reported by Steve
Gibson: If you put a specially-crafted, INVALID record into your WMF file (note:
not anywhere else like sending it to a printer!) then it will create a new
thread and set this thread to execute code straight from the WMF file
at the byte immediately following the invalid record. The processing of the WMF
file will then fail as it is supposed to because of the invalid
record.
There are several highly suspicious things about
this:
- The exploit is only triggered when the invalid record has
length=1. This is an impossible length in a valid record because (as I
understand it) all records must be of EVEN LENGTH. But it doesn't trigger the
exploit for every invalid length, only a single specific value. In other words,
someone almost certainly had to write code to *check* for this specific
value, which makes it extremely unlikely this exploit is an "accidental
side-effect" and much much more likely that it was intentionally coded by
someone.
- It creates a separate thread to run the code. This smacks of
something done very deliberately! You don't accidentally create threads. In
particular, this means it wasn't just a buffer-overrun or something that causes
the execution to transfer to the code in the WMF file. In the compiled code,
the pointer to the next byte of the WMF file might be on the stack or it might
be in a register. A stack-smashing attack or buffer overrun is a typical way
for a hacker to cause an address off the stack or a register to be jumped/called
to. But CREATING A SEPARATE THREAD only happens when an API function for that
purpose (such as beginthreadex()) is called.
- From my reading of the
transcript, it sounds like versions of Windows older than Windows 2000 probably
are NOT affected by the exploit. It sounds like they support
Escape/SETABORTPROC on WMF files (which is goofy but perhaps according to spec).
However, it sounds like the "backdoor" (the arbitrary code execution after an
illegal record with length=1) is NOT present in older versions of
Windows.
- People are saying things like "but WINE is affected too". I
seriously doubt that is the case. It is probably just like Win95 or Win98 --
supporting Escape/SETABORTPROC (according to spec) but not vulnerable to the
actual length=1 "backdoor".
CONCLUSION: very suspicious. It
sure looks like Microsoft, or someone with access to their code some time in the
1997-2000 timeframe, deliberately inserted the capability to execute arbitrary
code in a new thread with length=1.
What's strange is that until Windows
XP, the WMF files were not registered automatically so unless the registration
was added by a Microsoft product or some other piece of malware, Windows 2000
would not be vulnerable. [ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, January 13 2006 @ 02:48 PM EST |
PJ, think a bit before you say "I can't evaluate" the claims. In your
words, the issue is whether or not it's true that "WMF is a backdoor, not a
coding mistake."
The problem is that this is a false dichotomy. Everybody KNOWS it's not a
coding mistake. WMF was DESIGNED to allow arbitratry code to execute, Microsoft
SAID SO PUBLICLY in the WMF specifications it published years ago when it
invented the format.
The real debate is whether the problem should be categorized as "bad
design" or as an intentional "backdoor". This is a false
dichotomy too: for one thing, any design that includes a backdoor is a bad
design (IMO).
Also, any security flaw, intentional or not, that allows attackers to gain
control of a computer is, by definition, a "back door." The WMF issue
qualifies, no question. There's no need to be "preliminary" about
that at all. So (I guess I should listen to the podcast at this point, but I'm
at work) if Gibson is claiming to have found (or "preliminarily"
found) anything new or interesting, he must intend to imply (as "back
door" generally does within the cracker/security/wannabe community) that
Microsoft *intended* the WMF format & its handling routines to provide a
backdoor - that they foresaw and intended that it could be used to crack
computers running their OS.
In short: what people may disagree over, even after they've clarified their
terms, is whether
a) As Gibson's claim, at least as you characterize it, seems to imply,
Microsoft chose this design because they wanted to have the ability to spy on
people,
or
b) Microsoft chose this design (and never bothered to modify it) because it was
convenient for various engineering reasons, and they were monumentally,
stunningly, perhaps criminally, almost certainly actionably, blind or
indifferent to the security risks they were creating.
The issue goes to Microsoft's intention, NOT to any technicalities. Pretty much
the only ways imaginable to support a statement about Microsoft's intentions are
to
-find a smoking gun, such as an internal MS memo saying "let's put a
backdoor in, and let's use WMF to do it", or a comment in the code such as
"secret backdoor here - the NSA insisted"
-find a LOT of circumstantial evidence, not only how the code behaves but in
things from which deliberate action by MS executives can be inferred - maybe
there was an earlier version that didn't have the flaw, but this was changed
after a hush-hush meeting of the top brass?
Can Gibson possibly have found such evidence? I doubt it. If he had found a
smoking gun, he'd have published it. A phrase like "preliminary
conclusion" would be meaningless. (It's reprephensible in any case. If
it's so preliminary, why publish now?) As for circumstantial evidence, previous
posters have already piled up quite a bit of it that tends to show that the WMF
format was a crime of depraved indifference, not a crime of malice. The most
obvious pieces of evidence are:
-this "mind-bogglingly stupid" (to quote an earlier poster) design
was publicly documented. That's inconsistent with a secret backdoor, to say the
least.
-so is the fact that different versions of Windows differ in the degree to
which they are vulnerable. If you were writing the code, wouldn't you make sure
your backdoor always works?
In short, a bit of common sense is all you should have needed. The WMF
"flaw" is indeed important and scary, and as I said above MS's actions
were possibly criminal, or at least grossly negligant. But if you or Gibson
meant to imply that this particular piece of code was *intended* by MS to be
used for cracking/spying, that's an accusation that should have been easy to
dismiss.[ Reply to This | # ]
|
|
Authored by: Nick_UK on Friday, January 13 2006 @ 03:26 PM EST |
Bliar & Bush: WMD
MS & Gibson et al: WMF
Me and the rest of the world: WTF?
Nick ;-) [ Reply to This | # ]
|
|
Authored by: ray08 on Friday, January 13 2006 @ 04:03 PM EST |
But after 15 minutes of almost nonstop "I mean...you know...like"
(repeat 1000 times!) I had to protect my sanity and stop.
---
Caldera is toast! And Groklaw is the toaster! (with toast level set to BURN)[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, January 13 2006 @ 04:31 PM EST |
The wmf 'backdoor' existed before ActiveX and Microsoft on the internet.
It is from times when windows was a desktop only thingie and the internet was
only for university people.
Whoever is Steve Gibson, he just wants some quick fame.
I can believe that MS is evil, or that some of their programmers coded or tried
to inject backdoor in the bast, but in this case i believe it is really just
negligence and incompetence.
Remember, even Wine made its stuff compatible, so before mr. Gibson people
believed this 'feature' is a good one.
[ Reply to This | # ]
|
|
Authored by: philc on Friday, January 13 2006 @ 04:45 PM EST |
Microsoft must always be in control. Thats why they explicitly do things that
permit them to, without your permission, do what they want inside your
computer.
Linux, on the other hand, puts you in control. Nothing happens unless you let it
happen.
For example: its never a problem for Microsoft to put code in a macro, file
format, or such. After all they control your system so they can add code from
time to time. Of course IE will execute programs that come on web pages. Web
pages come from Microsoft certified web servers. When MS needs a little code
executed, its in control and just does it. Its OK to verify the software on your
system. Its OK to use DRM to verify you have access to the files. Its all just
part of being in control. Its important for a network single login to go through
Microsoft servers.
This worked OK for a while until others found out how to proxy (act on behalf
of) Microsoft. The world of malware was enabled. Microsoft can not keep others
from using their mechanisms.
It is this fundamental design philosophy that drives Microsoft and the security
problems that plague them.
The Linux approach is to put the user in charge. Code is executed when the user
runs it. In Linux there is no execution of code on web pages. No executing email
attachments. No code in macros. Why would anyone give away control like that?
Linux looks out for you, the user.
Linux's approach makes it very difficult for malware writers since there are no
general mechanisms or philosophies that would permit viruses.[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, January 13 2006 @ 05:34 PM EST |
Never attribute to malice that which can be adequately explained by stupidity. [ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, January 13 2006 @ 06:02 PM EST |
This may be a valid claim, or not. The fact is that this is only one persons
speculation, without much backup.
What is it called in journalism when
unsoported statements are published? (e.g., Boston Globe v Quinn).
What
is it called in law when unsupported statements are made by a
deponemnt?
Dumping the credibility decison about a story onto the reader
is hardly a professional approach.
I've come to regard Groklaw as
balanced and careful, especially where there is nuance and complexity in subject
matters. It takes care not to stray into gossip. Other material on Sony, SCO
etc is always presented when there are clearer volumes of evidence to support a
point. I think there may be some straying going on here that should be curbed
pending clearer evidence. MS may be a brawling bully, but that conclusion is
suported by huge volumes of evidence. Please don't hurt the quality of this
site by gossip.
Regards
Paul Thomas [ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, January 13 2006 @ 06:05 PM EST |
With articles like Victor Yodaiken's decrying the purported effects of DRM on
nuclear power plants, and the present one citing Steve Gibson, I think that
Groklaw is losing it's objectivity and quickly descending into spreading FUD.[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, January 13 2006 @ 08:40 PM EST |
From the podcast transcript:
So what I found was that, when I
deliberately lied about the size of this
record and set the size to one and no
other value, and I gave this particular
byte sequence that makes no sense for a
metafile, then Windows created a
thread and jumped into my code, began
executing my code. Okay, Leo? This
was not a mistake. This is not buggy code.
This was put into Windows by
someone.
No mystery. This is just the
same old indexing problem that bad
programmers have. In this case, the index is
off by one in the positive
direction. Thus one byte becomes the error trigger
when it shoild have been
zero. This is how so many buffer overruns have
occurred in windows. Does
the array use zero or one index as a starting value?
I might agree with Steve if
this was not one byte difference but it is so
obviously just another stupid serf
mistake and not a feature!
This is
why open source will triumph. Too many eyes on the code to allow
rookie
mistakes like the ones that riddle the proprietary mess that is
windows.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, January 13 2006 @ 09:09 PM EST |
Microsoft got caught putting a backdoor in its IIS server software. As a fix
they urged their customers to delete dvwssr.dll, then went on to make more
billions and billions.
I'm not the least bit astonished that on close inspection Steve Gibson thinks
this one looks more like design than accident.
One thing that bothers me a lot about this WMF exploit is, I wonder how many
people actually keep their XP patched?
Many of the computer owners I know don't even really understand patching and
don't do it.
Anyway to know the likely percentage of patches that get installed?[ Reply to This | # ]
|
|
Authored by: The Mad Hatter r on Friday, January 13 2006 @ 10:39 PM EST |
I saw a lot of Pro and Anti Steve Gibson posts, and I felt I had to drop in my
two cents, after reading the transcript.
1) Steve says that this is a preliminary report - he still has further things to
check.
2) However the exploit does work as advertised.
3) That it could be a problem.
Now Steve Gibson is a genius. I've seen examples of his work several times, and
the man is a brilliant programer. The real question is how right is he in this
case?
Right now we don't know, and he himself admits that he doesn't know. He did draw
attention to a possible problem, and in such a way as to draw a lot of attention
to it. Now that he's made the issue public other programmers can start to play
with it, and it should be interesting seeing their reports.
Remember - he said "So, again, it may be that a week from now I come back
with my tail between my legs and say, Leo, you know, I told what I believed to
be the case at the time."
Let's give him that week.
---
Wayne
http://urbanterrorist.blogspot.com/
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, January 13 2006 @ 10:58 PM EST |
Explanation is here:
http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, January 14 2006 @ 12:44 AM EST |
vehemently denouncing things Gibson never said.
Quite a few enthusiastic assertions turn out to be NOT true.
Some of PJ's oldest and bestest fans seem to think she has suddenly inexplicably
turned against M$.
The stage-coach has just pulled into town carrying a hot-shot lawyer and two
eye-witnesses.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, January 14 2006 @ 07:37 AM EST |
I was talking with two friends several years back, one was a coder for MS and
and the other was a networking /security specialist, about MS's DRM. I was
talking about how soon you wouldn't be able to keep MS out of your computer, my
net/sec friend responded that he would just firewall it. My MS friend's response
was they would bypass it. We (i) half thought he was being flipant as he didn't
provide any serious answer. I wish I could remember his exact responses now, but
it wasn't something *he* was working on.
It rang through my head when I read the following...
"Leo: So you're saying Microsoft, or people at Microsoft maybe unbeknownst
to Microsoft, intentionally put code in Microsoft Windows that will allow
anybody who knew about it access any Windows machine, to get into any Windows
machine and run any arbitrary code on it.
Steve: Well, it's not like a trojan, where they would be able to contact a
remote machine. But, for example, if Microsoft was worried that for some reason
in the future they might have cause to get visitors to their website to execute
code, even if ActiveX is turned off, even if security is up full, *even if
firewalls are on,* basically if Microsoft wanted a short circuit, a means to get
code run in a Windows machine by visiting their website, they have had that
ability, and this code gave it to them.
Leo: And there'd be nothing anybody could do about it or - and in most cases
detect it. So it sounds like - and I really want to be careful here because this
is a very serious accusation. It sounds like this was done on purpose by
Microsoft or somebody at Microsoft. It sounds like it was accidentally
discovered. Microsoft reacted and has pulled it out now."
I wonder if Mark over at sysinternals will have anything to add to this?[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, January 14 2006 @ 09:21 AM EST |
Well If Steve Gibson is just making fears statements does that mean Microsoft
would never do sucha thing???
Everyone criticizing Steve is a Security expert or just idiots that are
pro-Microsoft.
Who ever has the proof hes wrong Prove it in detail...
SO That his tests are false Im no sec. expert but am anti M$ and wouldnt put
past Gates's company to do what ever it takes to generate something of
controversy to make have people scared as to hurry and spend the bucks to buy
vista its all about the money MS doesnt care about stable and secure OS as long
as Billions can be made off the people[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, January 14 2006 @ 09:21 AM EST |
Mr. Gibson is a talented programmer but an even more talented self-promoter. The
guy has sold the same useless piece of software for over a decade now.
Be careful, guys.[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, January 14 2006 @ 07:53 PM EST |
the site is now dead! A Microsoft contract? Poor Steve, I hope he has home
security!![ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, January 14 2006 @ 10:59 PM EST |
If it was one of the government sponsored backdoors (and in MHO I think there
are some) it would have had a password. My hunch is either more bad code or a
coder slipped it by his superiors.
Similar code has a much better chance of being spotted in the Open source world.[ Reply to This | # ]
|
|
Authored by: Hop on Sunday, January 15 2006 @ 01:24 AM EST |
Before you make comments on this, please listen to the show or read the
transcript. Then you'll know exactly why he claims it's a backdoor.[ Reply to This | # ]
|
- A suggestion - Authored by: Anonymous on Sunday, January 15 2006 @ 06:47 AM EST
|
Authored by: OmniGeek on Sunday, January 15 2006 @ 10:05 AM EST |
Let's assume, arguendo, that this IS an intentional back door. (The fact
that the Microsoft GDI, itself, and NOT some exploit code, spawns a new thread
to execute code contained in a malformed graphics file, makes it nearly certain
it was intentional on SOMEONE's part. Forensic analysis of the code before and
after the patch should prove VERY illuminating -- and no, I'm NOT fingering the
Illuminati ;-))
Then, it is either 1) some cowboy coder's illicit
effort, or 2) an officially sanctioned back door for corporate use by Microsoft.
Let's look at the implications of each path.
1) Cowboy coder -- The
backdoor will be unceremoniously ripped out ASAP, followed by an internal audit
of everything else that coder worked on (which may cause some delay , as they'll
want to clean out ALL the traps). Corporate CYA will keep Microsoft from
admitting that it was an intentional back door, and they will resist outside
audits of the offending code. New back doors by cowboy coders are unlikely;
officially-admitted DRM hooks and Product Activation spyware are
unaffected.
2) Officialy sanctioned -- The backdoor will be removed,
only to be replaced by something better-hidden, using obfuscated GDI code to
keep it from discovery, and a better-secured "malformation" to open the door to
authorized parties only. There will be some delay in providing the "patch" while
the better-hidden backdoor is designed. Corporate policy will preclude admission
that it was intentional, and they will resist outside audits of the offending
code. There will always be such official back doors, in addition to any
officially-admitted DRM hooks and Product Activation spyware.
So, in
EITHER case, under these (eminently reasonable) assumptions, a) we'll never find
out why this happened, absent disclosure during a court or government inquiry;
b) Microsoft's behavior will seem shifty and suspicious, whether for CYA or to
conceal intentional backdoors, and c) we'll never, ever be able to really
trust that a Microsoft OS isn't serving a master other than ourselves. The
presence or absence of an intentional backdoor like this just adds or subtracts
one path among the officially-acknowledged ways Microsoft intrudes on our
computers.
Oddly enough, this isn't where I thought this analysis was
going; I had expected to conclude that Microsoft's response indicated corporate
intent, and instead it's a wash. We can't trust our privacy to Windows in either
case...
--- My strength is as the strength of ten men, for I am
wired to the eyeballs on espresso. [ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, January 15 2006 @ 07:11 PM EST |
Sorry about the language, but that explanation has a hole big enough in it to
drive a truck through. Note the bolded text:
Now, there’s been some
speculation that you can only trigger this by using an incorrect size in your
metafile record and that this trigger was somehow intentional. That speculation
is wrong on both counts. The vulnerability can be triggered with correct or
incorrect size values. If you are seeing that you can only trigger it with an
incorrect value, it's probably because your SetAbortProc record is the last
record in the metafile. The way this functionality works is by registering
the callback to be called after the next metafile record is played. If the
SetAbortProc record is the last record in the metafile, it will be more
difficult to trigger the vulnerability.
Well, now, if the SetAbortProc
is supposed to be called after the next metafile record is played,
why is it called at all when there is no next record with the
fake current record length is set to an invalid value of one?
The
proc should never be called at all in that case. [ Reply to This | # ]
|
|
Authored by: Anonymous on Monday, January 16 2006 @ 01:20 AM EST |
Windows belongs to Microsoft. You may use their software if you pay them a
license fee. It is still their property. I assume they never promised what
functions are not and will not be present in their property. But they do claim
the right to change them without your knowledge.[ Reply to This | # ]
|
|
Authored by: Anonymous on Monday, January 16 2006 @ 05:32 AM EST |
Those of you interested in Steve Gibson's comments from his onging analysis
may
want to take a peek at the discussion in one the grc discussion
groups:
http://www.grc.com/x/news.exe?cmd=article&group=grc.ne
ws.feedback&item=60621&utag=
Subject: Re: Confused on the WMF
issue, and curious of tools used.
Date: Sun, 15 Jan 2006 15:12:07
-0800
From: Steve Gibson
http://www.grc.com/x/news.exe?cmd=article&group=grc.ne
ws.feedback&item=60629&utag=
Subject: Re: KnockKnock updated,
and I'm off to get answers ...
Date: Sun, 15 Jan 2006 16:56:59
-0800
From: Steve Gibson
http://www.grc.com/x/news.exe?cmd=article&group=grc.ne
ws.feedback&item=60632&utag=
Subject: I've found the code in
Windows 2000 ...
Date: Sun, 15 Jan 2006 17:24:21 -0800
From: Steve
Gibson
http://www.grc.com/x/news.exe?cmd=article&group=grc.ne
ws.feedback&item=60658&utag=
Subject: Re: I've found the code in
Windows 2000 ...
Date: Sun, 15 Jan 2006 19:26:55 -0800
From: Steve
Gibson
[ Reply to This | # ]
|
- Thanks - Authored by: Anonymous on Monday, January 16 2006 @ 04:58 PM EST
|
Authored by: Anonymous on Tuesday, January 17 2006 @ 04:54 PM EST |
I am amazed at how many supposed rebuttals to Steve Gibson's claims are simply
attempts at character assassination. This tactic is underhanded at best and
contributes nothing to the debate over whether or not this flaw is accidental or
an intentional backdoor.
It really boils down to this, even according to Steve Gibson:
1. There is a security vulnerability in WMF
2. The question is, was this an accident or an intentional back door?
Steve Gibson suggests there is strong evidence that it is intentional, but he
does not say it MUST be intentional.
It is unlikely that we'll ever find out with any certainty whether or not this
flaw was actually an intentional back door. Personally, I don't care if it's
accidental or intentional. It's bad enough that Microsoft simply ported GDI
code. It should be obvious to any decent programmer that you are asking for
trouble if you give functions like these direct access to the GDI.
The Microsoft Blog post refutes Steve's claim that it can only be triggered by
passing the "wrong" data value, which Steve uses as evidence that the
vulnerability was intentional. The rebuttal in the Microsoft blog does not,
however, accomplish its intended purpose. The fact that you can exploit this
flaw with a correct value does not refute the fact that it may be an intentional
back door. The value that you pass turns out to be an offset, which if used
correctly, will trigger the SetAbortProc in the WMF.
The fact is that there is a simple way to know how to use a correct or incorrect
size in order to make sure your code is triggered. So the question as to
whether or not this was an intentional back door remains open.
As I said, I doubt if it will ever be closed, but so far the Microsoft rebuttal
did nothing to close it.
-NPetreley[ Reply to This | # ]
|
|
Authored by: NilsR on Thursday, January 19 2006 @ 08:22 PM EST |
Gibson replies in his latest SecurityNow podcast and expands in detail on his
website.
There's also a free (as in money) utility that can be used to
test Wine as well as Windows.
--- NilsR
[ Reply to This | # ]
|
|
|
|
|