Forgot your password?
typodupeerror
Windows Operating Systems Software Bug Programming IT Technology

WMF Vulnerability is an Intentional Backdoor? 788

Posted by Zonk
from the take-with-a-grain-of-salt dept.
An anonymous reader writes "Steve Gibson alleges that the WMF vulnerability in Windows was neither a bug, nor a feature designed without security in mind, but was actually an intentionally placed backdoor. In a more detailed explanation, Gibson explains that the way SetAbortProc works in metafiles does not bear even the slightest resemblance to the way it works when used by a program while printing. Based on the information presented, it really does look like an intentional backdoor." There's a transcript available of the 'Security Now!' podcast where Gibson discusses this.
This discussion has been archived. No new comments can be posted.

WMF Vulnerability is an Intentional Backdoor?

Comments Filter:
  • Another? (Score:2, Interesting)

    by rindeee (530084) on Friday January 13, 2006 @01:38PM (#14464872)
    How about a link to information on the "other" intentional back doors that exist?
  • Rootkit (Score:2, Interesting)

    by poeidon1 (767457) on Friday January 13, 2006 @01:38PM (#14464878) Homepage
    Is it like a rootkit but placed by microsoft itself ..Grrr.
  • by AltGrendel (175092) <ag-slashdot@[ ]t0.us ['exi' in gap]> on Friday January 13, 2006 @01:40PM (#14464898) Homepage
    I could see someone deliberatly doing this, maybe a contractor or a disgruntled employee.

    Its happened before and it will happen again. Whether this is the case remains to be seen.

  • Government backdoor? (Score:5, Interesting)

    by Jerry_Duplicate (126840) on Friday January 13, 2006 @01:40PM (#14464904)
    There was talk about the NSA/CIA having a close relationship with Microsoft and being able to exploit backdoors in Windows. This could have all been conspiracy theories, but the fact that this vulnerability existed throughout the Windows line kinda seems odd..

    If this isn't a glaring example on why you should support open source, I don't know what is....
  • by TripMaster Monkey (862126) * on Friday January 13, 2006 @01:41PM (#14464913)

    From TFA:
    And their [Microsoft's] definition for what's critical is sort of amazing. I mean, and this is from a page on their website. They say a vulnerability in Windows is critical only if its exploitation could allow the propagation of an Internet worm without user action. In other words, anything else is not critical.
    You mean user action like...say...opening a web browser?

    Anyway, this is freaky interesting, because if this is actually true, it's pure, unvarnished evil. I't a lot like the Allied soldiers who were fighting in Germany, being told all these horror stories about how evil the Nazis actually were, and then coming upon a concentration camp and finding out that these stories were real after all.

    Steve makes an excellent case with his diagnosis, but I'd love to see his findings verified by a few other agencies. This is too important to leave to one researcher.

    I, for one, am going to be following this story avidly. Any bets on when M$ issues a statement that a 'rogue programmer' put this code in, and disaavow any knowledge or responsibility?
  • do you mean (Score:4, Interesting)

    by Anonymous Coward on Friday January 13, 2006 @01:42PM (#14464925)

    This Steve Gibson [grcsucks.com] ?, yeah he is a real security expert, along with his podcast boy wonder we have much to be afraid of

  • Re:Rootkit (Score:2, Interesting)

    by poeidon1 (767457) on Friday January 13, 2006 @01:44PM (#14464945) Homepage
    So, Can I sue microsoft now for the damage?
  • Possible uses? (Score:4, Interesting)

    by Kitsune78 (941644) on Friday January 13, 2006 @01:46PM (#14464962)
    The freakish thing about this, is that if it is indeed a backdoor, it an odd way to go about it. You can't force someone to try to view a WMF. What would its purpose be? You can't use it to get into the exact box you want to, just into a random box that perhaps picks up your WMF from a webpage, or displayed in an application.
  • by m50d (797211) on Friday January 13, 2006 @01:46PM (#14464968) Homepage Journal
    That's why they're bugs. Seriously, I don't think the fact that it behaves differently from how it does in a printer is any indication it was deliberately written that way. More likely this was an attempt to disable the code that went wrong.
  • Lawsuit time (Score:5, Interesting)

    by Animats (122034) on Friday January 13, 2006 @01:47PM (#14464980) Homepage
    Someone involved in a WMA-related lawsuit needs to subpoena, from Microsoft, all the source code and all the change control information for this small part of Windows. Then the original programmers need to be found and deposed under oath. This is standard legal procedure for something like this.

    It's possible to get to the bottom of this by legal means.

  • by Marxist Hacker 42 (638312) * <seebert42@gmail.com> on Friday January 13, 2006 @01:47PM (#14464983) Homepage Journal
    I think it's a beneficial back door- in fact, I wouldn't be at all surprised to find that they'll need to update "Windows Update" after all the patches are in place.
  • Magic Lantern? (Score:5, Interesting)

    by Tackhead (54550) on Friday January 13, 2006 @01:47PM (#14464985)
    Sometimes even a blind squirrel gets a nut.

    The notion of a backdoor in Windows isn't new. Perhaps the WMF vulnerability was one of the vectors used by Magic Lantern [wired.com], which was the code word for at least one of the FBI's keylogger programs. Magic Lantern was notable in that antivirus providers participated with the Feebs in a gentleman's agreement to not look for it.

    It's certainly a dumb enough solution that the IT-challenged FBI might go for it.

    On relative dumbness and smartness, I'd expect smart spies, namely those who work for two other notable three-letter-agencies, to use somewhat more interesting techniques. If it were me, I'd take advantage of equipment I had in place at critical infrastructure points to conduct MITM attacks between a PC and Windows Update servers, in order to transparently install my spookware on only those machines that specifically identify themselves - by means of GUID or whatever other stuff I could glean from the Windows Genuine Advantage and other DRM-related bitstreams - as belonging to my target population.

    Paranoid? If you're not paranoid, you're not thinking far enough ahead.

  • Re:Possible uses? (Score:2, Interesting)

    by pahoran (893196) on Friday January 13, 2006 @01:52PM (#14465038)
    Looking for terrorists? You don't necessarily know where they are.

    Looking for people who have bad things to say about the gov't on their computer? You don't necessarily know where they are.

    And let your imagination continue the list ...
  • What about wine? (Score:3, Interesting)

    by Meltr (45049) on Friday January 13, 2006 @01:53PM (#14465047)
    I thought the same vulnerability exists in wine?

    http://it.slashdot.org/article.pl?sid=06/01/06/204 3203 [slashdot.org]
  • by Dystopian Rebel (714995) on Friday January 13, 2006 @01:53PM (#14465053) Journal
    but the fact that this vulnerability existed throughout the Windows line kinda seems odd.


    The function in question has existed for a long time. The exploit is in Windows 2000 and more recent. From the transcript:

    But the only conclusion I can draw is that there has been code from at least Windows 2000 on, and in all current versions, and even, you know, future versions, until it was discovered, which was deliberately put in there by some group, we don't know at what level or how large in Microsoft, that gave them the ability that they who knew how to get their Windows systems to silently and secretly run code contained in an image, those people would be able to do that on remotely located Windows machines...
  • Re:Possible uses? (Score:5, Interesting)

    by RexRhino (769423) on Friday January 13, 2006 @01:53PM (#14465058)
    Digital Rights Management... If you can control a box using a WMF file, there is all sorts of digital rights management mischieve you can do to prevent a machine from copying a file, or decoding a file, or whatever.
  • Re:Length==1 (Score:5, Interesting)

    by atfrase (879806) on Friday January 13, 2006 @01:57PM (#14465101)
    Agreed, it doesn't seem like the kind of "feature" that was designed in top-secret MS design documents or developed in meetings.

    But I still have a hard time seeing how code would *accidentally* behave like this. An invalid length should abort processing right off the bad, for one thing; "falling through" might be an explanation, but what possible code could be "fallen through" into that would set CPU execution *inside* the metafile -- moreover, would set CPU execution to the *next byte* after the erroneous header block. That's awfully convenient; if it were a mistake, I'd expect code execution to begin at some other random location, probably influenced by whatever happened to be in the register or some temporary pointer variable at the time. But the very next byte? That's too insanely convenient -- you get to provide your key *and* your payload in the *same* place.

    You could argue that buffer overrun exploits do the same thing, but the idea of the buffer overflow is to specifically overwrite the function-return pointer to *make* it point at your code. In this case, the exploit doesn't have to specify the location of the code to execute, Windows does that for you. Too convenient.
  • by Anonymous Coward on Friday January 13, 2006 @01:58PM (#14465122)
    I know someone with a security clearance at the NSA. The backdoor(s) exist and are intentional, but he would never tell me what they were. This is just another example of why I tell people to run open source software.
  • Re:Length==1 (Score:4, Interesting)

    by Shimmer (3036) <brianberns@gmail.com> on Friday January 13, 2006 @02:03PM (#14465165) Homepage Journal
    You're right, of course. Everyone who's saying this is "obviously" intentional are jumping the gun in a big way. I've got $5 right here that says it's an accident.

    "Never ascribe to malice that which is adequately explained by incompetence."
  • by Andrewkov (140579) on Friday January 13, 2006 @02:04PM (#14465176)
    It seems unlikely that an API programmer would have access to the main webservers to pull that off. Besides, the explotable feature has been there since Windows 3.1 (if I remember a comment from a previous Slashdot story correctly).
  • by Moby Cock (771358) on Friday January 13, 2006 @02:05PM (#14465190) Homepage
    Normally I'd agree with you. But in this case I think he may have found something very important. This WMF flap stinks to high heaven. The fact that there seems to be a specific and deliberate key (length == 1) is very disturbing. Gibson is a wacko and doomsayer, but today he may have found something valid.
  • by khasim (1285) <brandioch.conner@gmail.com> on Friday January 13, 2006 @02:07PM (#14465209)
    I've posted this once today.

    1. Remote--root access that does NOT require human intervention or other app running.

    2. Remote non-root access that does NOT require human intervention or other app running.

    3. Local root access that does NOT require human intervention or other app running.

    4. Local non-root access that does NOT require human intervention or other app running.

    5. Remote root access that requires some human interaction or some combination of apps.

    6. Remote non-root access that requires some human interaction or some combination of apps.

    7. Local root access that requires some human interaction or some combination of apps.

    8. Local non-root access that requires some human interaction or some combination of apps.

    9. Remote OS crash.

    10. Remote app crash.

    11. Local OS crash.

    12. Local app crash.

    So, Microsoft's criteria would be equivalent to #1 here. And I agree that it is "critical". It is the WORST possible vulnerability. Which is why I listed it as #1.

    But #2 is only slightly less devastating. And if you combine #2 with #3, you'll have the equivalent of #1.

    Therefore, ANY remote attack that gives you ANY user level or above access should be "critical".

    But who really cares what name you assign them? "Critical", "Red", "Emergency", "Category 1", whatever.

    What matters is what avenue is open for attack and what the results of that attack will be.

    1,000 level 12 vulnerabilities aren't anything compared to one single level 1 vulnerability.
  • by NtroP (649992) on Friday January 13, 2006 @02:07PM (#14465212)
    That's why they're bugs. Seriously, I don't think the fact that it behaves differently from how it does in a printer is any indication it was deliberately written that way. More likely this was an attempt to disable the code that went wrong.
    You're talking out of your ass. RTFA.

    This is (IMNSHO) not a bug. How would you accidentally introduce a bug that for one specific, non-valid, value the program would start executing code that has no place being there in the first place. This has nothing to do with printing. This has nothing to do with a callback to a function in the originating program to tell it the print job has been aborted. This is about executing code within the WMF file directly. It servers no purpose, especially since it only works if you give specific, non-random, invalid input to the WMF parser.

  • Re:Thread Creation (Score:2, Interesting)

    by bdcrazy (817679) <bdc_tggr-forums@yahoo.com> on Friday January 13, 2006 @02:14PM (#14465280) Homepage
    Could this possibly be an indirection by laziness or something more sophisticated?

    I know i've modified some already working code to use inputs that would have been 'invalid' for before the modifications to add new functionality to small programs to do other things that are similiar without having to start them from scratch.

    I could see this as being a way to allow unknown image formats encapsulated in WMF files to create processes to decode and display images that weren't of the type the original WMF knew about? I know this is just speculation, but it could be a neat way of doing things, a la, including the decoder along with the actual thing to be decoded, but also bad for security purposes.
  • by criznach (583777) on Friday January 13, 2006 @02:14PM (#14465281)
    My question is this... If the guy is smart enough to know that windows has kicked off a thread and executed his code, and he's smart enough to experiment with buffer-overflow exploits, why hasn't he stepped through the WMF interpreter code? Could it be that he doesn't want to admit that he has for legal reasons? I know that if I had discovered this problem, that's just what I would do. Call DebugBreak() and you have a call stack. You'd think that the handler for this SetAbortProc function would be pretty identifiable. So... Who's got the balls (or the time, in my case) to do it? That's our answer. Chris.
  • by talexb (223672) on Friday January 13, 2006 @02:18PM (#14465328) Homepage Journal
    I still have two systems in my house that run Win98 -- because of the applications I need to use. They'll probably disappear in the next two years, but if you look at web logs on a public site, you'll probably see 10% of the browsers are still coming from Win98.

    It's not dead yet. You just wish it were. ;)
  • by RingDev (879105) on Friday January 13, 2006 @02:22PM (#14465364) Homepage Journal
    Code encounters escape character

    exit standard processing

    encounter SetAbortProc

    open thread to communicate with windows print manager

    thread attempts to read [length] bytes for sub value, encounters overrun

    this is where I'm guessing the real horrendous problem lies. I'm guessing that the original code ignores exceptions while pulling in the sub value, so in this case where code hits an overrun, instead of that sub value getting a few bytes of data, it just graps until . In this case that sub value winds up being the payload.

    So there you go, key and payload on an independent thread because of a bad exception handler in a 12 year old block of code.

    -Rick
  • still in use (Score:5, Interesting)

    by Anonymous Coward on Friday January 13, 2006 @02:30PM (#14465431)
    The 98 series and NT4 are still in widespread (millions and millions) use. This is called a "problem" then. The auto industry in the US tried to pull this stunt of obsoleting and stopping support for their products in short time frames (sometimes within the SAME model year!) and got legally smacked down for it. Now they are required to provide replacement parts for ten years. Just because normal business productlaws and warranties aren't applied to software-yet, and they certainly should be-doesn't mean it wouldn't be a good idea. Planned obsolesence and forced upgrades might be a spiffy way for some corps to extract a lot more dineros from your wallet, but it doesn't mean it's a good idea for you the consumer/end user...unless you are a pure "caveat emptor" anything-goes styled capitalist. Thankfully, most people see the illogic in that sort of system and that is why we have evolved some consumer protection laws. It is not a perfect solution, but it is light years ahead of legalised snakeoil like it was before. Eventually these sorts of laws will be applied to software,because even the dullest clicker is starting to bingo to the fact that most of this forced upgrade stuff is a cash cow dodge.
  • by einhverfr (238914) <chris.traversNO@SPAMgmail.com> on Friday January 13, 2006 @02:49PM (#14465575) Homepage Journal
    This is a story that I have been following for a long reason.

    Also this is the reason that the German gov't commenced a project to create a special operating system for their needs wrt classified information. And although this is *not* public knowledge this is also why China has requested Microsoft's help in replacing the effected portions of Windows (I believe in good faith that I am probably not violating my NDA by bringing this up).

    I have every reason to believe that this is accurate based on what I have seen.
  • by Mr Z (6791) on Friday January 13, 2006 @02:57PM (#14465658) Homepage Journal
    I'm surprised nobody's trotted out Reflections on Trusting Trust [acm.org], by Ken Thompson. Not only does this discuss a backdoor, but also a backdoor that can't be found by examining the source code.
  • by IPFreely (47576) <mark@mwiley.org> on Friday January 13, 2006 @03:01PM (#14465698) Homepage Journal
    It that is all it was, then the the same thread would jump into the user code. But wait...

    I found was that, when I deliberately lied about the size of this record and set the size to one and no other value, and I gave this particular byte sequence that makes no sense for a metafile, then Windows created a thread and jumped into my code, began executing my code.

    So, it accidently created a new thread, and directed the new thread to start executing code at the specific position? That's a whole different level of accident.

    Oh, and Shimmer, I'll take that 5$.

  • by g2devi (898503) on Friday January 13, 2006 @03:18PM (#14465865)
    > but what possible code could be "fallen through" into
    > that would set CPU execution *inside* the metafile

    Actually, I think it was done for performance releases (remember, existed back in the Win 3.0 days).

    Back in ye olden days, there was a common software practise called self modifying code. It was used in some implementations of FORTH, but it was far more popular on systems that had few registers like C64. It was generally used as a way to dramatically speed up code on those slow processors.

    Have a look at the popular C64/Atari program SpeedScript (see http://www.atarimagazines.com/compute/gazette/1987 05-speedscript.html [atarimagazines.com] or http://www.atariarchives.org/speedscript/ch3.php [atariarchives.org] ).

    The source code it gives an example:
    "This module is chiefly concerned with the word processor editing functions.It contains many common subroutines, such as TOPCLR and PRMSG to clear the command line and print messages. It contains the initialization routines and takes care of memory moves (inserts and deletes). A second module, SPEED.2, is responsible for most input/output, including the printer routines. SPEED.1 is the largest file in the linked chain. UMOVE is a high-speed memory move routine. It gets its speed from self-modifying code (the $FFFFs at MOVLOOP are replaced by actual addresses when UMOVE is called). UMOVE is used to move an overlapping range of memory upward (toward location 0), so it is used to delete. Set FROML/FROMH to point to the source area of memory, DESTL/DESTH to point to the destination, and LLEN/HLEN to hold the length of the area being moved."
  • by Procyon101 (61366) on Friday January 13, 2006 @03:45PM (#14466131) Journal
    This is *SEVERELY* doubtful.

    1) NT Win32 is a fresh implementation of the Win32. This doesn't share Win16 code.
    2) NT, and especially Win32 is written almost entirely in C++. Ever try to do self modifying code in C++?
    3) The security push from 2 years ago would have never let self modifying code pass.
    4) Intel Procs aren't particularly suited to self modifying assembly.
    5) Nobody on the Windows team would seriously consider using it, ever, even if it is joked about on beer Friday. Any attempt to use it in reality would start with a flogging and end with a firing.
  • by SmallFurryCreature (593017) on Friday January 13, 2006 @04:03PM (#14466300) Journal

    A black van pulls up to your ISP, several men in black suits emerge and enter the office.

    Agent A: We would like to access your network routers.

    ISP clerk: Why? Who are you, can I see some papers?

    Agent B: [Pulls out a black gun] You don't need to see our papers geek boy.

    Agent A: Mr. Smith please, not yet. Our papers are in the mail, do you want to wait for them to arrive? Mr. Smith here hates waiting but if you want to force him to wait I am sure that is fine.

    ISP clerk: [looks at Agent B playing with a blackened knife] In the mail you say? Oh that is fine, absolutly let me buzz you in.

    Agent A: Thank you for your cooperation citizen. I will just be a minute, Mr Smith here will keep your company so you won't get lonely and feel the need to call anyone. [enters the machine room while Agent B plays with his knife]

    Agent A: [returns after a few minutes] We will be leaving now. The goverment thanks you for your cooperation, please refrain from speaking with this about anyone.

    The two agents leave and the ISP clerk decides that he needs another job.

    Question: How to force a people to retrieve an infect WMF file? Answer: Control the network.

    Any computer connected to the network does so because an ISP somewhere routes the calls to the proper adress. Rerouting it is trivial for the right people.

    This could be done by the goverment in exactly the same way they redirect phone calls (You never seen a movie where people call phone X only to find themselves talking to phone Y without their knowledge?) OR another reason?

    This "bug" is claimed to be new to windows 2000. Roughly the time of all those worms when it became impossible to patch a new windows online BEFORE it was infected. Now imagine the solution if this had gotten really out of control were a worm so nasty was out that EVERY windows machine connected to the net would instantly be infected. How would you patch all those machines? Especially considering how impossible it is to get users to actually PATCH their bloody machines? You could make the argument that what would be needed is somekind of solution were every windows machine connecting to the net would immidiatly be patched.

    Cue every ISP being told to redirect their users to a WMF file (every isp is capable of this) and voila, instant enforced patching no matter how much you disabled MS update.

    The only problem with exploiting this is for complete outsiders. The goverment has absolutly no problem exploiting this exploit to root your machine.

    Is this the explenation? I don't know. I am just guessing and not accepting the easy answer.

  • malfeature (Score:3, Interesting)

    by HTH NE1 (675604) on Friday January 13, 2006 @04:13PM (#14466381)
    Similarily, they are both features. Features can't be bad, right?

    feature [catb.org]: n.

    2. [common] An intended property or behavior (as of a program). Whether it is good or not is immaterial (but if bad, it is also a misfeature [catb.org]).
    So yes, it's a feature, but it isn't a good feature. It would be a misfeature, but I suggest that good and bad aren't sufficient to fully describe this. You need good, bad, and evil. Thus I suggest a new term for evil features like this: malfeature.

    And that one can have "mismalfeatures", though I'd rather make that into "dismalfeatures".
  • by codemachine (245871) on Friday January 13, 2006 @04:25PM (#14466516)
    It should be noted that although Wine does suffer from a WMF vulnerability as well, the behaviour is not the same one as described here. There is no special case for length==1 in Wine, and no way to have your exploit code right after the length field in the WMF. Wine simply implements the same abort routine that MS's API specifies (and can be argued to be a bad idea in itself, but that is MS's fault not Wine's). The way it can be exploited is completely different, and does not resemble a backdoor in any way.

    In fact, the differences between the behaviour of Wine and Windows implies that there is indeed something very unusual about the way Windows handles this special case. Whether it is an intentional problem or just horribly bad coding, that is harder to say.

  • by ROBOKATZ (211768) on Friday January 13, 2006 @05:05PM (#14466874)
    Part of the setup of the AbortProc packet is the callback address. But in this case, the place where the callback address would be is instead the first byte of the newly executed code. So the callback address cannot even be put into the packet properly. That is where the code has to be.

    Keep in mind there is an interpreting layer separating the WMF from the actual GDI call. It's entirely plausible that in some confusion the real Escape call is being passed the address of the argument in the script rather than interpreting the data in the script as the pointer value. Not only is this plausible, but it makes perfect sense -- any function interpreted in this context would have to work this way, for example, TextOut usually accepts a pointer to a string, but I bet in a WMF you would simply supply the string literal, and the WMF interpreter would pass a pointer to that data to the real TextOut.

    The escape for AbortProc is the way to set the callback in the first place. But since the packet is messed up (the length is one rather than the proper length) then effectively the whole "ESC/AbortProc" packet should never even be properly processed.

    It's likely that the length record is merely used to determine what to increment the pointer into the script by once the current packet finishes execution -- if this is the case, an invalid length would not effect the current packet, but then would cause problems after the current packet is processed.

    Finally, someone has pointed out that the length does not have to be one [slashdot.org].

    There is nothing outrageous about this in the least.

  • by Tired_Blood (582679) on Friday January 13, 2006 @05:30PM (#14467129)
    The problem encountered by those reporting on the concentration camps was that in the FIRST world war, everybody got exposed to extreme propaganda depicting all germans as vile creatures. When the exaggerations and lies were brought to light, the public had then learned to seriously doubt such extreme accusations. It could be argued that when the reports from Jan Karski (an eyewitness to the ghetto and concentration camp conditions) were dismissed, it was due to that legacy of doubt in 1943.

    The reporting during WWI damaged the credibility of all reporting during WWII.

    jcr (53032): Allied propagandists didn't have the imagination to come up with anything like the holocaust.

    They most certainly did have the imagination, but they realized that they did not have a willing audience for such accusations. Successful PR cannot be had with seemingly wild claims, especially if the organization has been shown to greatly overexaggerate in the past.
  • by IPFreely (47576) <mark@mwiley.org> on Friday January 13, 2006 @05:51PM (#14467357) Homepage Journal
    Hmmm. Interesting. With all that (esp length != 1) it starts to form a picture.
    Programmer initially writing this thing needs to debug along the way. He puts in AbortProc with imbedded code rather than callback pointer (after all, where could it point to?) to make a popup or something. If set properly, it mearly keeps the address of the code and continues. Later somewhere it hits an error and aborts. When the interpreter Aborts, he gets his popup in the right place. Maybe he did it for himself, or maybe he did it for someone else who's writing a WMF author. He's not thinking about potential misuse.

    So... What happens if you make an AbortProc packet, with embedded code instead of pointer. Then you set the length properly to point to after the code. Then there's another error later. Will it abort? Will it run the code? It's worth a test to someone with a test harness.

    It's looking more like design. But maybe not malicious design, just "too clever for it's own good" design.

  • Other Explanations (Score:3, Interesting)

    by logicnazi (169418) <logicnazi@gma[ ]com ['il.' in gap]> on Friday January 13, 2006 @06:46PM (#14467836) Homepage
    As far as I could tell the only evidence present that the vulnerability really was a backdoor was the fact that the message length needed to be set to *exactly* one in order for the vulnerability to work. Presumably the argument then runs that poor coding wouldn't generate such a specific effect so it must be a delibrately coded back door.

    This, however, overlooks many other possibilities and, unless there is other evidence I am unaware of, suggests an ignorance of security vulnerabilities by those making the suggestion. Frequently security vulnerabilities result from data being interpreted in an incorrect fashion as a result of pointer munging or memory collisions. Often some perfectly innocent piece of data (like message length) will get used as an index into some table or mistakenly used in stead of the correct variable in some test and cause incorrect execution or privelege escalation of the user's code.

    Even if there is reason to believe this isn't a simple code error like this there are many other explanations other than microsoft or an employees malevolence. For instance imagine this situation:

    Initially Metafile execution is designed to execute code in the fashion of the vulnerability with no requirement on the header length. This is perfectly plausible if it was programmed by some new hire without much awareness of security. Hell, it could be a bug introduced to do some sort of debug or get something up and working fast which just got left in the codebase. I'm sure all of us have made a change to our code that screws over security just to do some testing and sometimes people forget about it or get fired.

    In any case this security issue in the code base is there and some other parts of windows start relying on it. The security experts eventually notice the issue but by now other parts of windows will break if it gets fixed. Perhaps then the deciscion is made to partially patch the vulnerability but leave a special value for some fields which triggers the old behavior so as not to break the other parts of windows. If this is the case it would explain microsoft's recluctance to patch 95 and other old systems, because a patch would require rewriting some significant part of the system.

    Perhaps microsoft even intended to fix the vulnerability but the blah-blah group asks the metafile group to leave in a workaround (the special values) so they can continue to work on the rest of their component. Maybe then the groups are late to the deadline and forget about that issue in their rush. Or perhaps by this time the group members who knew about the workaround have left and no one knows to go back and remove it. Or maybe this is fixed as part of some larger patch applied to the source tree and when it breaks the build late at night and someone calls the metafile team whoever answers doesn't realize its a security issue and backs out the change but forgets to tell the people who made it.

    Whether or not I have the details right the point is clear. There are a hundred innocent ways for this sort of vulnerability to arise. It is silly to jump to the conclusion it is an intentional backdoor.
  • Re:Yeah... (Score:3, Interesting)

    by lachlan76 (770870) on Friday January 13, 2006 @07:58PM (#14468389)
    It wasn't for security though. The reason they disabled raw sockets was to stop people from using them to get around the limits on network connectivity between XP Home/XP Pro/Server 2003.
  • by Procyon101 (61366) on Friday January 13, 2006 @08:54PM (#14468750) Journal
    Hehe. I didn't say it was *GOOD* C++ :)

    Most MS coding from this era (and even nowdays) is a bit of a mix. It is compiled as C++, but written in a mostly C style and given external C linkage. It's a weird mix. It did allow some C++ constructs that were disallowed prior to C99, like relaxing the location of variable declarations and such, and tightens up the type saftey a bit. It also allows some other nicities like structs used internally to occassionally have private members, although these more C++ aspects are rarely used. But yes, you are correct that it is primarily C stylistically (and for linkage purposes) but in reality it is C++ written in a way that makes C++ advocates cry.
  • Re:Another? (Score:3, Interesting)

    by JourneyExpertApe (906162) on Friday January 13, 2006 @09:14PM (#14468848)
    Because, you know, if the NSA did have a secret backdoor, they'd make sure is was called NSAKEY, in case they forgot where it was, or something.

    Stranger things have happened. When a German law enforcement agency forced the developers of JAP (Java Anon Proxy) to put a backdoor in it, they put in code like:
    if(crimeDetected) {
    object->logCrime(...);
    }

    And it was an open-source project. Someone later admitted that they were kind of hoping that somebody would notice it, because they didn't think they could legally expose it themselves. Maybe someone at Microsoft didn't think it was right for the NSA to install a back door, and they had a conscience. Wait, what am I saying? This is Microsoft!
  • I'm asking "Why?" (Score:3, Interesting)

    by gone.fishing (213219) on Friday January 13, 2006 @10:32PM (#14469192) Journal
    I don't want this to sound like I am too "Pro-Microsoft" (I'm not). If Microsoft intentionally put the vunerability into their product then there must be a reason why. That is the question that I would like someone to answer because it does make all the difference. The question goes straight to motive.

    If the vunerability was an accident it was stupid and it needs to be fixed. I don't necessarily buy Gibson's reasoning but, I can see how he got there and that is enough to be troubling to me.

    Did some rouge programmer think "This is a cool idea? and against the rules just stuck it in there? I can't believe that Microsoft gives anyone that kind of autonomy. They have to have far better code review policies than that. That is harder for me to believe than anything else!

    Did some group think that this backdoor coupled with some other software could be used for some acceptable purpose in the future? Did someone say "Hey, with some code off of the Genuine Advantage web site we can use this to disable some features on computers that are running pirated software. This is only an example but I hope you get my point. I can see how something like this may be considered and discussed. I'm not so sure it would make it past the lawyers though. Maybe it was started, aborted, and this was a trace that was forgotten about and slipped bye? This sounds a little far-fetched but I have seen useless bits of code left behind in other coding projects. I'd buy something like this even though it sounds like something out of a bad movie.

    Did the NSA or some other agency approach Microsoft and ask to have something like this put in their code? We know that they have asked for encryption code before so that they could examine it so maybe this kind of idea isn't so strange? An exploit that the government knows about could give them a significant advantage in cyber-war. Frankly, this sounds like a Tom Clancy wannabe's plot for a novel. But it could happen.

    Honestly though all of this stuff sounds like conspiracy-theory stuff to me. My guess is that it is more innocent than all of that. I'd guess the exploit is a leaving. Something that got left behind from some piece of code that simply didn't make the final cut.

    I'd just like Microsoft to explain themselves this one time. Completely, thouroughly, honestly. Then they can tell us what they will do to ensure it won't happen again.

  • by Stepto (25864) on Friday January 13, 2006 @11:33PM (#14469416) Homepage
    We've blogged about this already providing the background of the bug:

    http://blogs.technet.com/msrc/archive/2006/01/13/4 17431.aspx [technet.com]

    I emailed Zonk about it but I don't think he's had a chance to update the posting.

    Long story short the idea that this is intentional rests on the premise that only an incorrect value produces the vuln. That is totally wrong, both correct and incorrect values trip the vulnerability. Besides doesn't it seem odd to create a backdoor that would require the user to first visit a website? What, were we going to take out a superbowl ad suggesting people visit www.microsoft.com so we could...uh...what exactly?

    S.
  • by kupci (642531) on Saturday January 14, 2006 @12:53AM (#14469649)
    Sorry, coward, but if you had a smidgen of support for your statement, I'd be interested, but you don't.

    I've no idea what SuperSystemDefender is, never heard of it. He sells SpinRite [grc.com], a commercial product for system restore and recovery, written entirely in assembly, and it's , been selling it for years, in fact I used it since Win 3.0. Read the reviews - it's an excellent product. He does have a bunch of freeware programs available on his site to test your Windows security. Free, not shareware. He even recommends ZoneAlarm, as one of the few decent firewalls.

    As far as hype, I think you're confusing hype, like Microsoft hyping Vista, with real security issues, such as DOS (Denial Of Service). Since when is this hype? I'm curious. Gibson makes alot of squawking, but he backs it up. He found issues with Microsoft's raw sockets [grc.com], and they took it out in SP2 - that was fairly important security fix, wasn't it? I'm curious how that's bomb throwing, when Microsoft went and fixed it. [What I'm really curious about is why folks get so defensive about Microsoft and security. Why attack the whistleblower?] If that's hype, well, more power to the guy. If it helps him sell a few copies of SpinRite, or get a few visitors to his excellent site, so what? I could think of worse things - like spreading FUD, say. Or like selling a product full of security holes, taking a long time to fix them, and furthermore, sometimes not even fixing them.

  • by LinuxGeek (6139) <djand DOT nc AT gmail DOT com> on Saturday January 14, 2006 @10:00AM (#14470783)
    I'm a programmer. Got my start with BASIC in the TRS-80/Vic-20/Apple][ era. Progressed to writing device drivers in assembler for the new spangled IBM PCs and a UNIX clone named Coherent. Wrote my first Windows program for Win 3.0, progressing through Win2k and then jumping to Linux. For much of this time frame, ( late 80's through the present) I have been reading the writings of Mr. Gibson. I don't always agree with his opinions or approaches to communication, but I've never really been able to find fault with his research into specific security and operational flaws.

    Until I see strong reason to doubt his findings, I'll be reading his articles with great interest. To reiterate my previous post, what Mr. Gibson has described is exactly what a backdoor does. It is not a trivial programming task to spawn a new thread and then start that threads execution at the byte following a single invalid wmf record descriptor. Get one of your programmer friends to explain the steps necessary to perform this sequence. If you can't get a good example, then post back here and I'll give you some pseudo code to outline how non-trivial it is and also show how unlikely that this is just a bug.

"In matters of principle, stand like a rock; in matters of taste, swim with the current." -- Thomas Jefferson

Working...