Please create an account to participate in the Slashdot moderation system


Forgot your password?
Windows Operating Systems Software Bug Programming IT Technology

WMF Vulnerability is an Intentional Backdoor? 788

An anonymous reader writes "Steve Gibson alleges that the WMF vulnerability in Windows was neither a bug, nor a feature designed without security in mind, but was actually an intentionally placed backdoor. In a more detailed explanation, Gibson explains that the way SetAbortProc works in metafiles does not bear even the slightest resemblance to the way it works when used by a program while printing. Based on the information presented, it really does look like an intentional backdoor." There's a transcript available of the 'Security Now!' podcast where Gibson discusses this.
This discussion has been archived. No new comments can be posted.

WMF Vulnerability is an Intentional Backdoor?

Comments Filter:
  • Length==1 (Score:5, Insightful)

    by atfrase ( 879806 ) on Friday January 13, 2006 @01:41PM (#14464918)
    This does look awfully like a special-case trigger. The idea of a backdoor is to have it look for a specifically crafted but completely nonsensical and invalid input sequence -- this serves as the "key" to the backdoor, ensuring that no other designer or user accidentally stumbles onto it. Since we assume that legitimate users and developers will only provide valid input, we design our "key" to be definitely invalid. For me, that length==1 trigger is the most convincing evidence. It's not just that it's the wrong input, it's that it's the one specific value of wrong input that triggers the behavior. That seems like design.
  • by alen ( 225700 ) on Friday January 13, 2006 @01:43PM (#14464937)
    Maybe this was for law enforcement or some other agency to track "people of interest."
  • by Tebriel ( 192168 ) on Friday January 13, 2006 @01:49PM (#14464995)
    A lawsuit is not the answer to everything.
  • by joshtimmons ( 241649 ) on Friday January 13, 2006 @01:49PM (#14464998) Homepage
    I agree with the author that the length prefix is something of a smoking gun. It begs the question of "how do we know it was fixed..." For example, they could change it to execute the datastream when length is set to a new trigger value; or a stronger backdoor would ignore any unsigned code. Still there, but harder to test for.

    It's a straightforward way to add a backdoor that will bypass firewalls, etc. It can be triggered by a browsed page, email, etc. It's better than gif/jpeg encoding because those are more "platform independent." and the payload would be more likely noticed by a 3rd party decoder.

    On the other hand, isn't this flagged as an attempt to execute code on a data page?

    Also, if it were official, doesn't MS have easier ways into a general box - say through security updates, or even the entire existing code base?
  • Re:Length==1 (Score:4, Insightful)

    by stevied ( 169 ) * on Friday January 13, 2006 @01:49PM (#14464999)
    Obviously SetAbortProc should not be implemented for WMF playback, but assuming somebody screwed up and just called the normal version of Escape(), could the behaviour we're seeing here not somehow be the result of not checking the validity of the length parameter properly, performing some arithmetic on it, and possibly falling through to some other code that happens to a jump or call?
  • Re:Length==1 (Score:5, Insightful)

    by Procyon101 ( 61366 ) on Friday January 13, 2006 @01:49PM (#14465010) Journal
    Possibly, but I doubt it's a Microsoft sanctioned backdoor. Any "OFFICIAL" backdoor from MS would have a much more complex key to get in than "1".

    I can see this being a programmer supplied backdoor, like a hook for easter eggs, but based on the other security work done in MS, anything that can be gotten into that is there on purpose is locked up pretty tight to any casual attempts.
  • You're on (Score:3, Insightful)

    by Benanov ( 583592 ) <brian.kemp@membe ... minus physicist> on Friday January 13, 2006 @01:54PM (#14465066) Journal
    Actually, I think Microsoft will go after Gibson's reputation.
  • by Soporific ( 595477 ) on Friday January 13, 2006 @01:56PM (#14465083)
    I't a lot like the Allied soldiers who were fighting in Germany, being told all these horror stories about how evil the Nazis actually were, and then coming upon a concentration camp and finding out that these stories were real after all.

    It's nothing like that actually, you are comparing apples to supernovas.

  • Thread Creation (Score:5, Insightful)

    by Lagged2Death ( 31596 ) on Friday January 13, 2006 @01:57PM (#14465099)
    For me, that length==1 trigger is the most convincing evidence.

    I don't think it's surprising that a piece of code might behave in an odd way if it's given invalid input, i.e., if a buffer length is wrong.

    I think the real giveaway here is that Windows creates a new thread when presented with this magic length. That's like rolling out the red carpet for the attacking Huns. I don't think the average buffer overflow type exploit gets it's own thread or process.

    And of course it's still possible that it was all a mistake. The C language can be used to write some extremely tangled code, if one is so inclined. Something like an incorrectly used setjmp/longjmp could have effects like this.
  • by NtroP ( 649992 ) on Friday January 13, 2006 @01:57PM (#14465104)
    I could see someone deliberatly doing this, maybe a contractor or a disgruntled employee.
    The problem with that argument is that in order to exploit this backdoor you'd have to get the target computer to load a WMF file. The main practical way to do this would be to embed it in a web page and have the target visit that page. The only sites that all windows machines access on a regular basis are Microsoft's. The employee would also have to have access to Microsoft's web site to exploit this reliably.

    This seems to be only useful if MS itself wanted to use it. Use your imagination as to what they'd do with it. I can think of all kinds of things.

  • Patch (Score:3, Insightful)

    by Paradise Pete ( 33184 ) on Friday January 13, 2006 @01:57PM (#14465107) Journal
    If it were intentional you'd think they would have been able to patch it a little more quickly.
  • by nweaver ( 113078 ) on Friday January 13, 2006 @01:58PM (#14465118) Homepage
    Who writes an evil backdoor, which dates back to Win3.1 days (when you didn't NEED an evil back door, and Windows had no clue what this Internet thing was about), and then DOCUMENTS it?

    Lest we forget that Wine also proved vulnerable, and it was a clean-reimplementation of the specs!
  • Re:Possible uses? (Score:2, Insightful)

    by notreallynas ( 714307 ) on Friday January 13, 2006 @02:02PM (#14465152)
    It seems to me Microsoft could use it to get into every box using IE that contacts
    That's got to be at least a few.
    I imagine they could just turn this [] into a wmf file and run whatever code they want on millions of PCs.
  • by RexRhino ( 769423 ) on Friday January 13, 2006 @02:02PM (#14465153)
    Of course Windows is the dominant corporate operating system in the U.S., and there are far more intelligence agencies around the world who engage in corporate espionage than just the NSA/CIA (actually, the U.S. is probably behind in corporate espionage compared to say the Chinese or French - we are too worried about terrorist or whatnot). The idea that the NSA/CIA would encourage something that would be used against Americans by foriegn powers as much or more than against the "enemies" of the U.S. makes the story seem more like conspiracy theory / urban legend.
  • The name means nothing. It's the facts that matter. Whether he is a one-day hacker or some looney, he discovered that for Length==1, (a completely invalid value that makes no sense for WMF's), Windows creates a new thread and starts executing the code.

    IMHO your "debunking steve gibson" site is nothing but a smokescreen to divert the attention from Microsoft's vulnerabilities and backdoors.
  • by Anonymous Custard ( 587661 ) on Friday January 13, 2006 @02:03PM (#14465162) Homepage Journal
    "A lawsuit is not the answer to everything."

    Since profit is all a corporation cares about, suing away those profits is the only way to punish it.
  • Re:Thread Creation (Score:5, Insightful)

    by atfrase ( 879806 ) on Friday January 13, 2006 @02:03PM (#14465171)
    I don't think it's surprising that a piece of code might behave in an odd way if it's given invalid input, i.e., if a buffer length is wrong.

    Again, agreed. But again, the catch is in the particular kind of odd behavior. If I were writing that code and it hit an invalid length, I'd probably abort processing of the whole file, presuming data corruption. Failing that I'd just skip over the flawed block and proceed with processing the next one. In that case, I could imagine not checking the length very carefully and just going to " + " to process the next block -- this would produce the observed "next byte" pointer.

    The problem is in the semantics: I said *process* the next block, not *execute* it. If anything this would just cascade into more error cases, since the data that was expected to be the "next block" would almost definitely also have a malformed header (since it wasn't intended to be a header at all), etc.

    So, I guess you're right - the tipoff is still that actual code is executed without having to be specifically pointed to (i.e. buffer overrun), and that it's executed in its own thread, rather than taking over the processing thread that was interpreting the metafile in the first place.
  • Re:Yeah... (Score:0, Insightful)

    by SalsaDoom ( 14830 ) on Friday January 13, 2006 @02:04PM (#14465180) Journal
    You know,

    Even if SG is a flaming idiot, that doesn't mean he isn't or can't be right. Even a stopped clock has the right time twice a day, as the saying goes. Crank or not, he could be on the money in this case and since those who have read the article seem to think he is on to something at least worth looking at... it seems ignorant to just dismiss him outright.

    This is what is called having an open mind.
  • Re:Length==1 (Score:2, Insightful)

    by 0123456 ( 636235 ) on Friday January 13, 2006 @02:12PM (#14465268)
    "what possible code could be "fallen through" into that would set CPU execution *inside* the metafile -- moreover, would set CPU execution to the *next byte* after the erroneous header block."

    I'm not entirely convinced. The code for the valid case presumably reads the subroutine address from the file, then starts a new thread which jumps to that address: it's not inconceivable to me that if the header is invalid it won't read the target address from the file, so the address variable just contains whatever was previously on the stack... which could well be the address of the data that's been loaded from the file (e.g. if it was previously used to hold the pointer into the header).

    It may well be an evil backdoor, but it could just as easily be plain old bad programming.
  • by ZorbaTHut ( 126196 ) on Friday January 13, 2006 @02:13PM (#14465274) Homepage
    Yes, because it's impossible for an identical problem to exist in WINE [], and therefore open source solves all problems.
  • by dc29A ( 636871 ) on Friday January 13, 2006 @02:15PM (#14465291)
    I could see someone deliberatly doing this, maybe a contractor or a disgruntled employee.
    - How about a totally stupid idea that MS thought was good?

    I mean MS has a long history of ignoring security for usability, lock in and whatnot. WMF dates back to close to 10 years, back when MS really didn't give a damn about security. Even after a the big Gates propaganda email and Trusted Computing Initiative and all the hoopla, XP SP2 allows blank passwords for administrators, the user created during installation is an administrator, again if password is blank no one gives a shit. Remote registry is on by default. RPC on by default. Administrative shares are on by default. Not to mention a plethora of completely useless services.

    MS just doesn't understand security. This WMF example is nothing different. It's some ancient code that never got looked at. Add to that the fact everyone and his mother is root, AND that the OS is a big bowl of spaghetti (hi2u IE deep in kernel), you get another attack vector vs Windows systems.

    Did someone maliciously implement this WMF "feature"? I doubt it. It looks like another regular MS security hole that shows that MS has no clue about security.
  • Re:Yeah... (Score:5, Insightful)

    by NtroP ( 649992 ) on Friday January 13, 2006 @02:15PM (#14465303)
    Isn't this the same Steve Gibson that was freaking out about how Raw Sockets in XP were going to destroy the world a couple of years ago?
    Didn't that get quietly fixed in a subsequent update and therefore NOT become an issue? He may be an alarmist, but he's normally a Pro-MS guy. In this case, I think he's on to something.
  • by Kylere ( 846597 ) on Friday January 13, 2006 @02:16PM (#14465314)
    There was a time in the history of slashdot when this would have been dissected in terms of a technological perspective. Now we just have anyone who is offended with Gibson attacking him. I have to wonder how many script kiddies are the base of the anti-Gibson press, because regardless of his state of mind, he has contributed more to system security than anyone who is flaming him.
  • by avalys ( 221114 ) on Friday January 13, 2006 @02:18PM (#14465333)
    Uh, no, how about not buying its products?

    If you buy a cell phone and decide the interface is sucky, you don't punish the company by suing them. You punish the company by buying another brand next time.
  • by mysticgoat ( 582871 ) * on Friday January 13, 2006 @02:20PM (#14465349) Homepage Journal

    A lawsuit is not the answer to everything.

    Too true.

    This is a case for criminal prosecution. Gibson has uncovered evidence that at face value demonstrates that there has been a conspiracy to defraud Windows users, and possibly to defraud Microsoft Corporation itself. Microsoft's internal documents would identify the coder(s) involved in this deceit, and possibly other conspirators.

    I think it is time for the Washington State Attorney General to give this to a Grand Jury. (IANAL, but I think it is the business of a Grand Jury to determine if a crime has been committed in this kind of circumstance).

    Let a Grand Jury hear this evidence and decide whether it appears that some person(s) deliberately set out to violate the privacy of Windows users.

  • Not sure... (Score:3, Insightful)

    by BRSQUIRRL ( 69271 ) on Friday January 13, 2006 @02:21PM (#14465352)
    This looks weird but it still needs more research, especially given Gibson's somewhat dodgy reputation.

    1 as an input value is one of those classic boundary conditions that developers should always specifically test against (but sometimes don't...along with 0, negative numbers, MAX_whatever, etc) I'm not convinced that it was just a coding error. If the "magic key" length was something completely random like 6385492, then I would be more suspicious.

    C'mon MS...let's see the code!
  • Re:Thread Creation (Score:4, Insightful)

    by 0123456 ( 636235 ) on Friday January 13, 2006 @02:22PM (#14465361)
    "it's executed in its own thread, rather than taking over the processing thread that was interpreting the metafile in the first place."

    But that's only an issue if the WMF-processing code doesn't create a new thread in order to call the subroutine in the valid case. In reality you'd almost certainly want the callback to happen in its own thread, rather than to allow anyone to run abitrary code in the same thread as the print server.
  • by mattbot 5000 ( 645961 ) on Friday January 13, 2006 @02:24PM (#14465378) Homepage
    It's nothing like that actually, you are comparing apples to supernovas.
    It's worse, actually. He's comparing security holes to concentration camps.
  • by jcr ( 53032 ) < .ta. .rcj.> on Friday January 13, 2006 @02:27PM (#14465402) Journal
    Germany, being told all these horror stories about how evil the Nazis actually were, and then coming upon a concentration camp and finding out that these stories were real after all.

    The stories Allied soldiers were told about the nazis paled in comparison to what they saw in the camps. Allied propagandists didn't have the imagination to come up with anything like the holocaust.

  • by NtroP ( 649992 ) on Friday January 13, 2006 @02:28PM (#14465410)
    Steve Gibson is not a security expert
    I'm not a security expert either. But if I came up with this evidence, how would that change the reality of the situation. The evidence stands on its own merit. His reputation has nothing to do with it. This is easily verifiable by anyone with at least his level of knowledge. It will be interesting to see what happens when other "real" experts start looking at this.
  • Easy one to test. (Score:3, Insightful)

    by jd ( 1658 ) <> on Friday January 13, 2006 @02:29PM (#14465423) Homepage Journal
    There are many ways in which 1 could purely coincidentally be tested for - using multiple bitwise operations that don't completely cover the word, for example.

    However, there are a few very specific ways in which you would write code to deliberately look for that specific value in a specific portion of an operation. These ways can be checked by inspecting a disassembled version of the code. (But do this outside of the US, or the DMCA droids will Use The Force.)

    Since WINE shows the same hole and the coders are not the same, it would be my guess that the problem is specifically in a DLL that is used/usable by both. It should also be possible to massage WINE to fire up a disassembler with the correct entry point into the DLL that has the hole, when passing the exploit payload. It might take a while (I suggest getting a few month's supplies in advance), but it should be possible to determine exactly where the exploit is, whether it looks "natural" or not*, and whether that specific section of code is likely called by other graphics routines.

    *A "natural" bug could include a series of conditionals and jumps, where the 1 is simply the untested case that falls into random code. An "unnatural" case would be to test specifically for 1 and to jump in a different way than for other cases. (eg: If other cases jump to subroutine, and 1 does a one-way jump OR on return is the sole case that jumps over all error conditions.) If that one case has an abnormal test and an abnormal jump, it would be next to impossible for it to be accidental.

    Actually, it might be useful against Microsoft in their appeal over the EU ruling. The EU ruling demands greater transparency of protocols and code, and demands code be uninstallable by someone. The politicians might not care much about the exploit, even if it were deliberate, but I'd be willing to bet the EU's lawyers would. Even if Microsoft as a corporation were innocent (yeah, right), it demonstrates a valid legal concern that cannot be resolved using totally closed, airtight methods.

  • by Anonymous Coward on Friday January 13, 2006 @02:29PM (#14465428)
    Anyway, this is freaky interesting, because if this is actually true, it's pure, unvarnished evil. I't a lot like the Allied soldiers who were fighting in Germany, being told all these horror stories about how evil the Nazis actually were, and then coming upon a concentration camp and finding out that these stories were real after all.

    I can't believe even on Slashdot that drivel like this was moderated +5 insightfull. That you even consider a software exploit even remotely close to Nazi concentration camps shows us that you have a very poor understanding of the scale of tragedy. You should be ashamed of yourself.

  • Re:Thread Creation (Score:3, Insightful)

    by Ancil ( 622971 ) on Friday January 13, 2006 @02:34PM (#14465469)
    I think the real giveaway here is that Windows creates a new thread when presented with this magic length. That's like rolling out the red carpet for the attacking Huns. I don't think the average buffer overflow type exploit gets it's own thread or process.
    I don't find this (or the originial article) convincing. He makes a wildly unsubstantiated claim about the WMF vulnerability being intentional.

    The whole Escape/SetAbortProc vulnerability is built around some (admittedly stupid) functionality in WMF files. WMF files have the ability to set an application callback function for an abort condition.

    If the code which prcoesses this WMF file is going to call a user-supplied abort procedure, it's very reasonable for it to create a separate thread for that to happen in, rather than blocking. After all, it has no way of knowing what the application's response will be, or how long it will take.

  • by Jurph ( 16396 ) on Friday January 13, 2006 @02:42PM (#14465517)
    He's not going to have his clearance for very long if he goes around bullshitting his buddies about the NSA's sources and methods. If you've got a real citation for this, serve it up. Otherwise, you're just one more uncleared idiot pretending you know what's going on at Ft. Meade.
  • Re:Not sure... (Score:3, Insightful)

    by Dachannien ( 617929 ) on Friday January 13, 2006 @02:42PM (#14465519)
    Your supposition would require that no record in a WMF file could be 6385492 words long - or, more specifically, that there is a known maximum less than the maximum storeable value. As Gibson mentioned, the minimum record size is 6 words, which frees up the values 0 through 5 to be chosen as your magic key (or perhaps negative numbers if you use signed values for the record size). Picking one of those values would have been a lot quicker than trying to construct a maximum sized record and determining its length so you could pick something bigger.

    Gibson's findings are interesting, and as you say, certainly merit more study. As someone else said somewhere around here, stepping into and/or disassembling the relevant Microsoft code would give greater insight, as would finding out what old versions of Windows carry this problem - including old old versions like Win3.1 or whichever version introduced WMF in the first place.

    It's his assertions based upon those findings that may be a bit suspect, but that's what future research would hopefully clear up. Considering that we can't rely upon Microsoft for full disclosure, we need someone in a country that's a bit more, um, liberated than the U.S. in terms of reverse engineering to take a look at it. Gibson's rantings may seem over the top sometimes, but his strategy is to get someone with the expertise/legal protections/authority/etc. to get involved. (For that matter, it's not unlike the kickback rumors that CmdrTaco responded to the other day. Few people believed that they were actually taking kickbacks, even among the people who posted those rumors in the first place, but the rumors were enough to get CmdrTaco to take action concerning the actual problem of people abusing Slashdot for PageRank.)

  • Re:Possible uses? (Score:3, Insightful)

    by ZachPruckowski ( 918562 ) <> on Friday January 13, 2006 @02:46PM (#14465546)
    It's a ten year old or so vulnerability. It predates DRM, so I doubt it was built for that originally. Sure, it may have DRM uses, but it couldn't have been made for DRM.
  • by Jtheletter ( 686279 ) on Friday January 13, 2006 @02:47PM (#14465554)
    The freakish thing about this, is that if it is indeed a backdoor, it an odd way to go about it. You can't force someone to try to view a WMF

    That we know of that is. This has been lurking about in every version of windows since 95, right? And it's taken until now to be brought to light. How many other similar seemingly innocent bits of code in those millions of lines of legacy windows code do similar things? The question is not what can this exploit do on its own, but what can it do in concert with others that may exist? OK, so maybe I'm giving MS or the rogue programmer, or whoever did this (length==1 check and seperate thread would imply it's not a mistake) too much credit, but if whoever did this was very clever they might have implemented a waterfall backdoor of sorts. In other words there's two or three exploits that when used in concert spell pwnage for almost any windows box. I'm willing to bet there's more here that hasn't been found yet. I'm also betting, along with others, that MS will not accpet responsiblity, nor even point the finger at a programmer or contractor/company to take the fall because that would also make them look completely unsecure. How many programmers have contributed to windows code over the years? And MS would be admitting they don't have knowledge of any backdoors those programmers may have introduced? No, more likely as Benanov (583592) suggested, MS will simply try to smear Gibson as someone with a vendetta and/or crackpot/idiot and try to downplay the whole thing as it has been.

    This is exactly why closed source is dangerous. Even security through obscurity is useless when the code holders don't know what's in their code. Open source may have similar problems, but at least there's plenty of people looking, and plenty who will be motivated to correct an issue when it's found instead of trying to pretend like it never happened. Which includes the issue of whodunnit and how to stop that from happening again.

  • by monkeydo ( 173558 ) on Friday January 13, 2006 @02:51PM (#14465591) Homepage
    Actually, Gibson is saying he doesn't know if previous versions are exploitable or not. In fact he's counting on not, since that's the only way to determine when the "backdoor" was inserted. Gibson is a bomb thrower. There's no evidence other than his opinion that this is a deliberate backdoor.
  • by evilviper ( 135110 ) on Friday January 13, 2006 @03:04PM (#14465722) Journal
    If this is an intentional backdoor, it is the crappiest one, EVER!

    You'd want something in the base system of ALL Windows version, which couldn't be disabled AT ALL, doesn't require a user to be logged-in as an admin, or stupid enough to open anything sent to them.

    If I was making a backdoor, I'd put it in something basic... Have the IP stack open a port when recieving a specially-crafted packet. Have the filesystem driver silently execute a file if it find a special signature in it (eg. code embedded in a cookie/web-page), etc.

  • Re:Rootkit (Score:3, Insightful)

    by m50d ( 797211 ) on Friday January 13, 2006 @03:16PM (#14465843) Homepage Journal
    It's not really a rootkit as there's no immediate root access, you just get to execute code as the user who views the file. Though with windows there's not that much difference.
  • by Reziac ( 43301 ) * on Friday January 13, 2006 @03:17PM (#14465856) Homepage Journal
    Not only that, but my understanding is that the relevant WMF functions date back to the Win3.0 era (maybe Win2.0, not sure -- the earliest date I've seen was 1991) and in any event, long before M$ had much of a clue about the internet. And long before OS "back doors" became a common worry, too. M$ simply doesn't plan that well when it comes to how stuff is used/affected by an OS, and in fact tends to come late to the bandwagon.

    Furthermore, if Gibson is so sure of himself, why isn't his own test utility available to everyone? (Apparently it was only available to Laporte's listeners... not likely to be the most unbiased audience.)

    Net result: I knew Gibson's tinfoil hat was a trifle snug, but now I'm sure it needs a complete refitting.

  • by azuretek ( 708981 ) <[moc.liamg] [ta] [keteruza]> on Friday January 13, 2006 @03:21PM (#14465891) Homepage
    Most Windows computers at one point have connected to Windows Update, also IE defaults to MSN, isn't there a getting started page as well when you first open IE after install?

    It's just simple observation to say that the only site that would be consistent on every Windows system is a Microsoft site, somewhat how on my mac I am connected to apple after a clean install when I open Safari. One could say the only site that would be consistent on every mac would be

    -PS I don't think it was an intentional backdoor.
  • by tpgp ( 48001 ) on Friday January 13, 2006 @03:29PM (#14465981) Homepage
    Get a clue, troll-

    If you're going to accuse someone of trolling, you want to be pretty sure about your facts.

    if you have a blank admin password, XP prevents ANY remote network access using that account.

    Hmmmn, thats an interesting band-aid.

    You are actually more secure with a blank password.

    Really? More secure with a blank password? I doubt it.

    Would make privilige escalation pretty damn easy after you'd hacked a user account.

    And it makes all that least priviliged user stuff that MS goes on about a little irrelevant too.
  • by Reziac ( 43301 ) * on Friday January 13, 2006 @03:47PM (#14466157) Homepage Journal
    But that's true of anything. Just because it was designed for X doesn't mean someone can't modify it to do Y. So why the WMF function in particular? What ADVANTAGE does it have as a back door, that other more-convenient exploits can't offer?

    And considering how old is the code in question, why hasn't any exploit for it ever been seen in the wild? Surely Gibson is not the only person poking into obscure corners of Windows.

    I'm reminded of how malicious code can be embedded in the comment field of GIFs, and executed by an accomplice program... that exploit was never seen in the wild either, but has been known about for as long as GIFs have existed. Was it part of a grand conspiracy to force us all to subscribe to Compu$erve?? ;)

  • by AnotherBlackHat ( 265897 ) on Friday January 13, 2006 @03:50PM (#14466183) Homepage
    You need plausable denyablity.
    I.e. the back door has to look like enough like a bug that finding it won't cause people to immediately realize that you're installing back doors intentionally.

    Something like a buffer overflow in the TCP stack that only happens with packets of an exact size (off by one in some checking routine.)

  • by TheNumberless ( 650099 ) on Friday January 13, 2006 @03:51PM (#14466194)
    In my not so humble opinion, you don't know what you are talking about. Go read some of the links in that site, and you'll see that Steve Gibson is one of the many "security experts" that have no clue but gives dangerous and very wrong "solutions".

    In my ever-so-humble opinion you completely missed the point of the parent. The reputation, sanity, motives, and anything else dealing with the person making the claim has nothing to do with the validity of the claim itself.

    In this particular instance, there is at least some apparent merit to the idea that this was an intentional backdoor, and that merit would be there regardless of who points it out.

    If you want to discredit the idea that this is an intentional backdoor (of which I am far from convinced), then you should attack the argument directly, not the man making it.
  • by mrseigen ( 518390 ) on Friday January 13, 2006 @04:17PM (#14466417) Homepage Journal
    I'm not quite sure why they'd want to use it. End-users already trust Microsoft implicitly because they made the operating system, so if they wanted to, for instance, install some software on all Windows machines that reports home if it detects a pirated copy, they could just do it through a service pack update. Most people would willingly install it (or click the little automatic button in Windows Update), and there'd be none of this Tom Clancy technothriller intrigue.

    I can't personally think of any kind of official reason why Microsoft would want to shove code onto Windows machines just from visiting their website. They've got tons of other ways of doing this.
  • by 2names ( 531755 ) on Friday January 13, 2006 @04:47PM (#14466708)
    Instead of tearing me a new one with accusations, why don't you educate me with your knowledge of crypto by putting forth some examples?
  • by Tim C ( 15259 ) on Friday January 13, 2006 @06:35PM (#14467754)
    The only sites that all windows machines access on a regular basis are Microsoft's.

    I assume that you're thinking of Windows Update, but at a guess I'd imagine that most (recent) Windows machines get most of their updates via automatic updates, or not at all. I'd be very surprised if "all Windows machines" visit any given site on a regular basis.

    (In fact it's trivially easy to disprove your assertion - I have access to 3 XP machines, and none of them visit any of MS's sites on anything approaching a regular basis, but that's beside the point)

    This seems to be only useful if MS itself wanted to use it. Use your imagination as to what they'd do with it. I can think of all kinds of things.

    I can't think of a single thing that would be worth it. An attack like that would be discovered and traced back to them, and they'd be crucified for it. Unless they could achieve their aim before that happened, there'd be no point, and short of taking over the world, I can't think of anything that would be worth it. Even if they could think of a way to make money using it, the courts would sieze it all anyway.
  • by rts008 ( 812749 ) on Friday January 13, 2006 @06:44PM (#14467831) Journal
    You obviously did not RTFA or you would know that he isn't sure of himself- he has only worked/looked at this a total of one day and happened to bring it up on the podcast, He has a;lso stated NUMEROUS times that it SEEMS to be a bacvkdoor, but until he has a chance to work at this longer to find out- it appears to him to have no toher function he can see AT THIS TIME. (no, I am not going to link to these statements- RTFA!). Second, you must not have put any effort into finding his tool- it took me about 30 seconds to find the link to it- since you are so web challenged, here is the tool:( []) How any of you calling Steve "bombthrower" (and similar) got modded anything other than flamebait or troll is beyond me- obvious from your comments you did not RTFA and the /. modders are not paying attention I guess.
  • by toadlife ( 301863 ) on Friday January 13, 2006 @07:45PM (#14468280) Journal
    "The reputation, sanity, motives, and anything else dealing with the person making the claim has nothing to do with the validity of the claim itself."

    Technically what you just said is absolutely correct, but, regardless of whether it's correct to do so or not, the fact that people are taking Gibson's claim with a grain of salt is hardly suprising.

    Recommended Reading []
  • by Anonymous Coward on Friday January 13, 2006 @07:49PM (#14468317)
    Unfortunately, Steve is wrong about len==1 being special: 14466008 []

    *and confused he is*
  • by shadow169 ( 203669 ) on Friday January 13, 2006 @08:19PM (#14468539)
    2) NT, and especially Win32 is written almost entirely in C++. Ever try to do self modifying code in C++?

    I get the feeling you don't spend your days mired in Win32 application coding. The Win32 libraries are all written in C, not C++. This is why different languages such as C, C++, VB, and even the new .NET runtime can all link to the same libraries, they all support C exports. There are no separate versions of libraries like user32.dll and gdi32.dll for VB, C, C++, etc . .

    And oh yes, don't think that MS is re-implementing CreateWindowEx() (in user32.dll) in the .NET world. Any application, no matter where it was written, or in what language, if it runs on Windows it will at sometime end up in CreateWindowEx() (actually CreateWindowExA or CreateWindowExW) in user32.dll.

    Take a look at the actual Win32 API /library/en-us/winprog/winprog/functions_in_alphab etical_order.asp []

    See any classes in there?
  • by Catbeller ( 118204 ) on Friday January 13, 2006 @08:33PM (#14468628) Homepage
    ENOUGH. Gibson was right about raw sockets.

    After the relentless pounding and smearing of Gibson, Microsoft quietly disabled the raw sockets code, whatever the hell it was.

    Gibson was right. They fixed the problem. He was right, The Reg was wrong.

    Jesus, it's like arguing with 20,000 Bill O'Reilly's. Truthiness! Gibson is a maaaaadddmaaaannn!

    And since people rarely followup to what they think is truthy, they missed the fact that the only reason the Raw Sockets disaster didn't happen is because MICROSOFT QUIETLY FIXED THE PROBLEM, JUST. LIKE. GIBSON. SAID. THEY. SHOULD.

    And as for being a top security professional, something he never claimed to be - he's a developer - what makes you all think that the very best security people at the NSA and Microsoft don't already know all about the exploit, because it's one of the many that they placed there in the first place?

    Listen, everyperson, Microsoft has cooperated with Justice, the FBI, the NSA and all the other alphabet boys since the beginning. Windows and Office are monitored at will, you can bet your last god damned dollar. Can you imagine MS refusing to cooperate, especially during a ten year monopoly trial??

    (originally posted as AC because I'd moderated; however, even posting as an AC, the code retroactively undid my moderation. Didn't know that would happen. A little warning, Slashcode?)
  • by kupci ( 642531 ) on Friday January 13, 2006 @11:09PM (#14469333)
    here's no evidence other than his opinion

    (Defending Microsoft - only on Slashdot. Ok, so some monkees tapping on a keyboard while the programmer wasn't looking snuck this code in ;)

    First of all, Gibson is no bomb thrower, he's uncovered some pretty serious security issues with Microsoft. I'd suggest reading his web site - he's a very thorough person, and doesn't make any wild unsubstantiated, naive, biased claims, like, say, Slashdotters. He's a long time Windows user, not a Mac fan, nor an open-sourcer (at least until recently, for reasons like this)Now, to quote the transcript, curious where you would even be able to make the claim that that this *isn't* a backdoor:

    what I found was that, when I deliberately lied about the size of this record and set the size to one and no other value, and I gave this particular byte sequence that makes no sense for a metafile, then Windows created a thread and jumped into my code, began executing my code. Okay, Leo? This was not a mistake. This is not buggy code. This was put into Windows by someone. We are never going to know who.

    Yeah, he's saying this is a deliberate backdoor. Listen to the article or read the transcript, then think about it a little. Now, he's not saying *what* Microsoft put this in for. Did someone put this in for testing -that's my take, from a programmer perspedctive but .. who the heck knows. That's sorta the problem with proprietary software, we might never know. Buyer beware.

    Steve: Well, I mean, as you've mentioned a couple times here, I mean, one of the advantages of an open source system is, you know, and I'm finding myself gravitating more and more toward open source solutions because of their transparency. And so, you know, but an advantage of that is that all kinds of people are looking at the code, and there's just no opportunity, especially when you build the system yourself from source, there's no opportunity for anything evil to get stuck in. And also, about this what appears to be a Windows MetaFile backdoor that's always been in Windows from 2000 on, you know, they've done recently serious security reviews of all their code. You know, they took that whole timeout from all the work they were going to be doing and said they were rereading all their code. And this is not the first time metafiles have had a problem. There have been what are probably real bugs in metafile processing in the past, I think two of them. So the whole metafile system would have come under the scrutiny of someone, you know, very deliberately. Now, you know, if Microsoft had said last week, whoops, this was an undocumented backdoor or means for us to run code in a metafile, we never documented it, our security sweeps didn't find it, blah blah blah - but nothing was said. They allowed the industry to believe that this was just like all their other code mistakes, but this wasn't like all their other code mistakes.

Information is the inverse of entropy.