28 thoughts on “More on WMF, did Microsoft leave a backdoor?

  1. Regarding the ‘you have to go to a particular website’ argument, an appropriately crafted email indistinguishable from any other spam would likely do the trick, if it is viewed in Outlook.

  2. Regarding the ‘you have to go to a particular website’ argument, an appropriately crafted email indistinguishable from any other spam would likely do the trick, if it is viewed in Outlook.

  3. Even more surprising is that the linked article by Stephen Toulouse doesn’t address the main concerns that Gibson brought up, namely that there is nothing useful you can do in the lonely thread that is spawned by this “feature” (you don’t have access to the DC of the metafile) and that the function does not work the way Stephen describes. The only reason Gibson found this was by trying to force the behavior to happen, and none of the “official” explanations worked.

    Since the 13th, when Gibson’s podcast aired, this has been the only response from MS. It would appear that a technically competent rebuttal is in order.

    Has someone come along and documented that Gibson’s findings (that the only way to trigger malicious code is by setting the file length to 1, and that the value of SetAbortProc doesn’t matter since the code that will be executed is immediately following the header)? Has anyone rebutted them?

    I’ll be the first to admit that Gibson has an ego the size of Montana (or at least San Diego), but silence on this does not do MS any good, and this appears to be something difficult to “evangelize” away, given all the security reviews that this code should have received enroute to XP SP2, and Vista. (Unless by “code review” they mean checking the filenames.)

    Tim

  4. Even more surprising is that the linked article by Stephen Toulouse doesn’t address the main concerns that Gibson brought up, namely that there is nothing useful you can do in the lonely thread that is spawned by this “feature” (you don’t have access to the DC of the metafile) and that the function does not work the way Stephen describes. The only reason Gibson found this was by trying to force the behavior to happen, and none of the “official” explanations worked.

    Since the 13th, when Gibson’s podcast aired, this has been the only response from MS. It would appear that a technically competent rebuttal is in order.

    Has someone come along and documented that Gibson’s findings (that the only way to trigger malicious code is by setting the file length to 1, and that the value of SetAbortProc doesn’t matter since the code that will be executed is immediately following the header)? Has anyone rebutted them?

    I’ll be the first to admit that Gibson has an ego the size of Montana (or at least San Diego), but silence on this does not do MS any good, and this appears to be something difficult to “evangelize” away, given all the security reviews that this code should have received enroute to XP SP2, and Vista. (Unless by “code review” they mean checking the filenames.)

    Tim

  5. It is amazing that you can find the same comments in every site that talks about this. First, the attack on Steve Gibson, with similar language. Second, the Wine argument, which is bogus, Wine tries to implement the features of Windows the best it can. It has to imitate behaviour! Finally, none of the comments answer the real concerns that Steve Gibson presented. He even answered them on his site…

  6. It is amazing that you can find the same comments in every site that talks about this. First, the attack on Steve Gibson, with similar language. Second, the Wine argument, which is bogus, Wine tries to implement the features of Windows the best it can. It has to imitate behaviour! Finally, none of the comments answer the real concerns that Steve Gibson presented. He even answered them on his site…

  7. It explains it well (and, for the first time, why legacy systems are not getting patched), but not how the vulnerability was missed by SP2. That’s still cause for concern.

  8. It explains it well (and, for the first time, why legacy systems are not getting patched), but not how the vulnerability was missed by SP2. That’s still cause for concern.

  9. Well it appears that this exact same flaw appears in the Wine implementation, which was written from the specs without access to the Windows source code – so did the Wine guys put the backdoor in as well?

    Pure nonsense ..

  10. Well it appears that this exact same flaw appears in the Wine implementation, which was written from the specs without access to the Windows source code – so did the Wine guys put the backdoor in as well?

    Pure nonsense ..

  11. Well, if Microsoft wanted a backdoor, would they have made it such that:
    a) didn’t require user interaction (opening webpage or image)
    b) not part of a public API
    c) make it targetable (pick an IP instead of indiscriminate)

    Hmm, screw that, conspiracy theories are much more fun! UFOs power MacOSX! Steve Jobs is an android powered by pure evil! Walt Disney was the antichrist!

  12. Well, if Microsoft wanted a backdoor, would they have made it such that:
    a) didn’t require user interaction (opening webpage or image)
    b) not part of a public API
    c) make it targetable (pick an IP instead of indiscriminate)

    Hmm, screw that, conspiracy theories are much more fun! UFOs power MacOSX! Steve Jobs is an android powered by pure evil! Walt Disney was the antichrist!

  13. I for one, do not believe that MS intentionally put a backdoor in WMF. As the old saying goes, “Never attribute to malice, what can be adequately explained by stupidity”.

    All the WMF issues are due to plain old incompetence.

  14. I for one, do not believe that MS intentionally put a backdoor in WMF. As the old saying goes, “Never attribute to malice, what can be adequately explained by stupidity”.

    All the WMF issues are due to plain old incompetence.

  15. Well it was really done because customers were asking tons of questions about it. Really the assertion by some people that there would be an intentional back door inserted into Windows which could only be used by first convincing the user to visit a website is pretty funny on the face of it. But hey letting people know the background is good too. People like to learn the same lessons we learn about software vulnerabilities so I hope you guys found it interesting.

    S.

  16. Well it was really done because customers were asking tons of questions about it. Really the assertion by some people that there would be an intentional back door inserted into Windows which could only be used by first convincing the user to visit a website is pretty funny on the face of it. But hey letting people know the background is good too. People like to learn the same lessons we learn about software vulnerabilities so I hope you guys found it interesting.

    S.

  17. Mr. Potato Head? Mr. Potato Head? Back doors are not secrets!

    I think it is possible, but not likely. Mr. Gibson can be a little paranoid. That’s his job.

  18. Mr. Potato Head? Mr. Potato Head? Back doors are not secrets!

    I think it is possible, but not likely. Mr. Gibson can be a little paranoid. That’s his job.

  19. I’ve never been a fan of Steve Gibson’s somewhat irresponsible ‘conclusions’. To say the evidence for a backdoor is “quite compelling” is one thing, but to later state clearly (and more than once) that Microsoft “intentionally put a backdoor in Windows” is, well… you really shouldn’t be taking flak for this Robert!

    Thanks for the link to Stephen’s post btw, v. interesting.

  20. I’ve never been a fan of Steve Gibson’s somewhat irresponsible ‘conclusions’. To say the evidence for a backdoor is “quite compelling” is one thing, but to later state clearly (and more than once) that Microsoft “intentionally put a backdoor in Windows” is, well… you really shouldn’t be taking flak for this Robert!

    Thanks for the link to Stephen’s post btw, v. interesting.

  21. Pingback: The PC Doctor

Comments are closed.