Those of you using Microsoft Windows 2000 or XP will want to follow this story: Steve Gibson
has examined WMF and he now believes it was deliberately coded. It looks to him that Microsoft put a backdoor into Windows, which can be triggered even if Active X is turned off and security is at high. It could be a renegade coder, he says, but it's not, in his view, bad design or a mistake.
I can't evaluate what he says, but if it's true it is so serious to your privacy and security, I would feel irresponsible not to point you to his podcast, so you can evaluate for yourself. So the podcast is here. Also, there are a number of Sony lawsuits going on, and some are considering settling. They also might like to know about this issue.
He is still testing, so this is a preliminary finding. It's possible that in a week he'll have more answers or a different explanation. Microsoft has yet to speak. Gibson is not an Open Source advocate, but he says he's gravitating toward it now.
Warning: you have to get through some graceless conversation about whether to use hacker or cracker, but that's just the first couple of minutes.
UPDATE: An explanation from the Microsoft Security Response Center Blog.
2d Update: Mark Russinovich, on why he believes it was poor design, not a backdoor.
3d UPDATE: Gibson acknowledges one mistake, but stands by his view that this was coded intentionally.
After acknowledging his mistake because the test metafile only had a single record, "I talked about ... the fact that the metafile record had to, apparently, in my case had to be set to an incorrect length in order to make this happen", Gibson is asked if that destroys his premise that this was coded deliberately:
LEO: Does that destroy your argument, or does it impact the argument?
STEVE: Well, I don't think it does. I mean, certainly it takes some of the edge off of it. But when I did finally look at Windows - I mean, and believe me, Leo, I was holding my breath that, you know, as I said, I might end up retracting everything and be completely wrong about this - when I looked at Windows I saw, I mean, as clear an example of intention as I have ever seen. I mean, this was just code designed to do this, code designed to jump into the metafile image and run the code contained in the image.
LEO: Now, Stephen Toulouse, who blogged about this for Microsoft, said, well, sure it's intentional, but it's intentional with a benign point of view. It was to allow GDI functionality; right?
STEVE: No. No one ever believed, I mean, no documentation, no common practice, no use ever had metafile images running code. I mean nowhere. I've put together and I've further fleshed out the page that I began last week. It was just sort of a placeholder page. It's at GRC.com/wmf/wmf.htm - WMF, of course, for Windows MetaFile. I've laid the whole thing out. I've got a screenshot and link to Microsoft's original documentation from Windows 3.0 and 3.1 explaining what this whole ABORTPROC thing is, and that it is for executing code in the user's application. I mean, it makes - it's crazy to think that even Microsoft at any time in the past would have thought that it made sense to mix code with drawing commands.
LEO: So the only reason you'd put this in is why?
STEVE: The only reason is to run code in an image, which has never been sanctioned, never documented, and, I mean, makes no practical sense.
LEO: There's no other legitimate use of that. It's so that you could put code in an image.
STEVE: Well, exactly. And, even more so, when a program runs, the Windows Loader does all kinds of fancy things, fixing up and filling out that IAT that we talked about a long time ago with RootkitRevealer, the Import Address Table, which essentially connects the application into the Windows API. If you're code running in an image, you have no advantage of Windows Loader, which basically makes it feasible for you to talk to the rest of Windows. Ilfak, in his vulnerability tester, because of this had to go through all kinds of very tricky hacker hoops in order to explicitly get access to Windows in order to just pop up his little dialogue that said you are or you are not vulnerable. It was a lot of work.
So, I mean, it just - it doesn't make sense that Microsoft could have ever published the idea of doing this; yet not only did I look at this, at the way this is implemented, but our friend Mark Russinovich from Sysinternals, he looked at it and sent me email, which I have a link to also on our WMF page. He analyzed this and concluded, just as I had, that this was intentional. He was not comfortable saying it was a backdoor. And, I mean, I respect his opinion. You know, "backdoor," as I said, is a very loaded word that carries with it all kinds of, you know, implicit malice, which I never meant to imply. But Mark, looking at the same code I have, and actually several other people, too, recognized that, for whatever reason, this is what the coder intended.