Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

WMF Vulnerability is an Intentional Backdoor?

Zonk posted more than 8 years ago | from the take-with-a-grain-of-salt dept.

Windows 788

An anonymous reader writes "Steve Gibson alleges that the WMF vulnerability in Windows was neither a bug, nor a feature designed without security in mind, but was actually an intentionally placed backdoor. In a more detailed explanation, Gibson explains that the way SetAbortProc works in metafiles does not bear even the slightest resemblance to the way it works when used by a program while printing. Based on the information presented, it really does look like an intentional backdoor." There's a transcript available of the 'Security Now!' podcast where Gibson discusses this.

cancel ×

788 comments

Sorry! There are no comments related to the filter you selected.

Another? (1, Interesting)

rindeee (530084) | more than 8 years ago | (#14464872)

How about a link to information on the "other" intentional back doors that exist?

Re:Another? (4, Funny)

dr_dank (472072) | more than 8 years ago | (#14464932)

How about a link to information on the "other" intentional back doors that exist?

*looks at clipboard*

Ok Goatse linkers, thats your cue.

A link to his.... (0, Offtopic)

p.rican (643452) | more than 8 years ago | (#14465090)

site containing his evidenence/proof that this vulnerabilty is there on purpose.

here [mit.edu]

Re:Another? (3, Funny)

gbobeck (926553) | more than 8 years ago | (#14465098)

How about a link to information on the "other" intentional back doors that exist?


Sure fine... Behold the Power of Google! [google.com]

Have Fun.

Move along, Move along (0, Offtopic)

XFilesFMDS1013 (830724) | more than 8 years ago | (#14464875)

Nothing for you to see here. Please move along.

Now there's a feature.

You can't Hack My Gibson (1, Funny)

Anonymous Coward | more than 8 years ago | (#14464877)

You can't Hack My Gibson.

Rootkit (2, Interesting)

poeidon1 (767457) | more than 8 years ago | (#14464878)

Is it like a rootkit but placed by microsoft itself ..Grrr.

Re:Rootkit (1)

Xerxus (899945) | more than 8 years ago | (#14464909)

Similarily, they are both features. Features can't be bad, right?

Re:Rootkit (2, Interesting)

poeidon1 (767457) | more than 8 years ago | (#14464945)

So, Can I sue microsoft now for the damage?

I would not be suprised at all. (4, Interesting)

AltGrendel (175092) | more than 8 years ago | (#14464898)

I could see someone deliberatly doing this, maybe a contractor or a disgruntled employee.

Its happened before and it will happen again. Whether this is the case remains to be seen.

Re:I would not be suprised at all. (4, Insightful)

NtroP (649992) | more than 8 years ago | (#14465104)

I could see someone deliberatly doing this, maybe a contractor or a disgruntled employee.
The problem with that argument is that in order to exploit this backdoor you'd have to get the target computer to load a WMF file. The main practical way to do this would be to embed it in a web page and have the target visit that page. The only sites that all windows machines access on a regular basis are Microsoft's. The employee would also have to have access to Microsoft's web site to exploit this reliably.

This seems to be only useful if MS itself wanted to use it. Use your imagination as to what they'd do with it. I can think of all kinds of things.

Re:I would not be suprised at all. (1)

BagOBones (574735) | more than 8 years ago | (#14465167)

I would say emailing it would work just as well.

Re:I would not be suprised at all. (2, Interesting)

Andrewkov (140579) | more than 8 years ago | (#14465176)

It seems unlikely that an API programmer would have access to the main webservers to pull that off. Besides, the explotable feature has been there since Windows 3.1 (if I remember a comment from a previous Slashdot story correctly).

NSA (5, Funny)

Anonymous Coward | more than 8 years ago | (#14464899)

Well, how else is the NSA going to fight terrorism?

Government backdoor? (5, Interesting)

Jerry_Duplicate (126840) | more than 8 years ago | (#14464904)

There was talk about the NSA/CIA having a close relationship with Microsoft and being able to exploit backdoors in Windows. This could have all been conspiracy theories, but the fact that this vulnerability existed throughout the Windows line kinda seems odd..

If this isn't a glaring example on why you should support open source, I don't know what is....

Re:Government backdoor? (5, Interesting)

Dystopian Rebel (714995) | more than 8 years ago | (#14465053)

but the fact that this vulnerability existed throughout the Windows line kinda seems odd.


The function in question has existed for a long time. The exploit is in Windows 2000 and more recent. From the transcript:

But the only conclusion I can draw is that there has been code from at least Windows 2000 on, and in all current versions, and even, you know, future versions, until it was discovered, which was deliberately put in there by some group, we don't know at what level or how large in Microsoft, that gave them the ability that they who knew how to get their Windows systems to silently and secretly run code contained in an image, those people would be able to do that on remotely located Windows machines...

Re:Government backdoor? (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14465077)

Why do you think the Bush DOJ dropped the anti-trust case against Microsoft (settling for essentially a pittance)? This, news of an intentional backdoor for monitoring, on top of the news that the Bush white house illegally spied on Americans prior to 9/11 (no 9/11 excuse anymore), shows just how fucked up the United States government has become.

Re:Government backdoor? (-1, Interesting)

Anonymous Coward | more than 8 years ago | (#14465122)

I know someone with a security clearance at the NSA. The backdoor(s) exist and are intentional, but he would never tell me what they were. This is just another example of why I tell people to run open source software.

Re:Government backdoor? (2, Insightful)

RexRhino (769423) | more than 8 years ago | (#14465153)

Of course Windows is the dominant corporate operating system in the U.S., and there are far more intelligence agencies around the world who engage in corporate espionage than just the NSA/CIA (actually, the U.S. is probably behind in corporate espionage compared to say the Chinese or French - we are too worried about terrorist or whatnot). The idea that the NSA/CIA would encourage something that would be used against Americans by foriegn powers as much or more than against the "enemies" of the U.S. makes the story seem more like conspiracy theory / urban legend.

MS Bashing (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14464906)

Does anyone else out there think that this article might lead to a very extreme amount of MS bashing?

Ream us (1)

ncurtain (937487) | more than 8 years ago | (#14465124)

Through Windows the NSA comes to you.

NSA Backdoor (0)

Anonymous Coward | more than 8 years ago | (#14465178)

Of course the NSA has the God given right to
examine anything you do, say, eat, ........

Unparalleled BS from MS. (2, Interesting)

TripMaster Monkey (862126) | more than 8 years ago | (#14464913)


From TFA:
And their [Microsoft's] definition for what's critical is sort of amazing. I mean, and this is from a page on their website. They say a vulnerability in Windows is critical only if its exploitation could allow the propagation of an Internet worm without user action. In other words, anything else is not critical.
You mean user action like...say...opening a web browser?

Anyway, this is freaky interesting, because if this is actually true, it's pure, unvarnished evil. I't a lot like the Allied soldiers who were fighting in Germany, being told all these horror stories about how evil the Nazis actually were, and then coming upon a concentration camp and finding out that these stories were real after all.

Steve makes an excellent case with his diagnosis, but I'd love to see his findings verified by a few other agencies. This is too important to leave to one researcher.

I, for one, am going to be following this story avidly. Any bets on when M$ issues a statement that a 'rogue programmer' put this code in, and disaavow any knowledge or responsibility?

Re:Unparalleled BS from MS. (0, Offtopic)

iAmSmarticus (943944) | more than 8 years ago | (#14464960)

is it just me or is /. becoming more of a digg.com mirror these days?
and yes, M$ will very likely say it was some rogue programmer... We should start taking bets on how quickly they make the announcement!

Re:Unparalleled BS from MS. (-1)

Anonymous Coward | more than 8 years ago | (#14464991)

I't a lot like the Allied soldiers who were fighting in Germany, being told all these horror stories about how evil the Nazis actually were, and then coming upon a concentration camp and finding out that these stories were real after all.

GODWINNED!!11!!!eleventy!!1!

Re:Unparalleled BS from MS. (1)

csanford (944712) | more than 8 years ago | (#14465016)

Any bets on when M$ issues a statement that a 'rogue programmer' put this code in, and disaavow any knowledge or responsibility?

I doubt it. There is no way to prove that it was intentional without seeing the source, so it makes more sense for Microsoft to just patch it and make no comment concerning its origins.

You're on (3, Insightful)

Benanov (583592) | more than 8 years ago | (#14465066)

Actually, I think Microsoft will go after Gibson's reputation.

Re:Unparalleled BS from MS. (1)

hcg50a (690062) | more than 8 years ago | (#14465069)

if this is actually true, it's pure, unvarnished evil.
Or perhaps just negligence. Possibly even criminal negligence. But "pure evil" as a standard won't stand up in court, unless we go back to persecuting witches.

Re:Unparalleled BS from MS. (1)

ConceptJunkie (24823) | more than 8 years ago | (#14465103)

Yeah, the concept of evil was disproved in the 1960's. We all know that no one is responsible for his actions...

Re:Unparalleled BS from MS. (4, Insightful)

Soporific (595477) | more than 8 years ago | (#14465083)

I't a lot like the Allied soldiers who were fighting in Germany, being told all these horror stories about how evil the Nazis actually were, and then coming upon a concentration camp and finding out that these stories were real after all.


It's nothing like that actually, you are comparing apples to supernovas.

~S

Re:Unparalleled BS from MS. (0)

Anonymous Coward | more than 8 years ago | (#14465175)

godamn, I'm so fucking sick and tired of seeing you be modded up in every fucking thread, get a life loser

Length==1 (5, Insightful)

atfrase (879806) | more than 8 years ago | (#14464918)

This does look awfully like a special-case trigger. The idea of a backdoor is to have it look for a specifically crafted but completely nonsensical and invalid input sequence -- this serves as the "key" to the backdoor, ensuring that no other designer or user accidentally stumbles onto it. Since we assume that legitimate users and developers will only provide valid input, we design our "key" to be definitely invalid. For me, that length==1 trigger is the most convincing evidence. It's not just that it's the wrong input, it's that it's the one specific value of wrong input that triggers the behavior. That seems like design.

Re:Length==1 (4, Insightful)

stevied (169) | more than 8 years ago | (#14464999)

Obviously SetAbortProc should not be implemented for WMF playback, but assuming somebody screwed up and just called the normal version of Escape(), could the behaviour we're seeing here not somehow be the result of not checking the validity of the length parameter properly, performing some arithmetic on it, and possibly falling through to some other code that happens to a jump or call?

Re:Length==1 (3, Interesting)

Shimmer (3036) | more than 8 years ago | (#14465165)

You're right, of course. Everyone who's saying this is "obviously" intentional are jumping the gun in a big way. I've got $5 right here that says it's an accident.

"Never ascribe to malice that which is adequately explained by incompetence."

Re:Length==1 (1)

SideshowBob (82333) | more than 8 years ago | (#14465194)

Obviously not because if that were the case then the exploit would still be in effect when Length == 0, Length == 2, etc.

Re:Length==1 (4, Insightful)

Procyon101 (61366) | more than 8 years ago | (#14465010)

Possibly, but I doubt it's a Microsoft sanctioned backdoor. Any "OFFICIAL" backdoor from MS would have a much more complex key to get in than "1".

I can see this being a programmer supplied backdoor, like a hook for easter eggs, but based on the other security work done in MS, anything that can be gotten into that is there on purpose is locked up pretty tight to any casual attempts.

Re:Length==1 (5, Interesting)

atfrase (879806) | more than 8 years ago | (#14465101)

Agreed, it doesn't seem like the kind of "feature" that was designed in top-secret MS design documents or developed in meetings.

But I still have a hard time seeing how code would *accidentally* behave like this. An invalid length should abort processing right off the bad, for one thing; "falling through" might be an explanation, but what possible code could be "fallen through" into that would set CPU execution *inside* the metafile -- moreover, would set CPU execution to the *next byte* after the erroneous header block. That's awfully convenient; if it were a mistake, I'd expect code execution to begin at some other random location, probably influenced by whatever happened to be in the register or some temporary pointer variable at the time. But the very next byte? That's too insanely convenient -- you get to provide your key *and* your payload in the *same* place.

You could argue that buffer overrun exploits do the same thing, but the idea of the buffer overflow is to specifically overwrite the function-return pointer to *make* it point at your code. In this case, the exploit doesn't have to specify the location of the code to execute, Windows does that for you. Too convenient.

Re:Length==1 (1)

Cliffy03 (663924) | more than 8 years ago | (#14465102)

Correct, the key would be something complex, like 1,2,3,4.

Re:Length==1 (1)

Procyon101 (61366) | more than 8 years ago | (#14465116)

Funny, that's the same combination I have on my luggage....

Re:Length==1 (2, Funny)

DaveCar (189300) | more than 8 years ago | (#14465097)

That seems like design

Intelligent Design?

Thread Creation (5, Insightful)

Lagged2Death (31596) | more than 8 years ago | (#14465099)

For me, that length==1 trigger is the most convincing evidence.

I don't think it's surprising that a piece of code might behave in an odd way if it's given invalid input, i.e., if a buffer length is wrong.

I think the real giveaway here is that Windows creates a new thread when presented with this magic length. That's like rolling out the red carpet for the attacking Huns. I don't think the average buffer overflow type exploit gets it's own thread or process.

And of course it's still possible that it was all a mistake. The C language can be used to write some extremely tangled code, if one is so inclined. Something like an incorrectly used setjmp/longjmp could have effects like this.

Re:Thread Creation (5, Insightful)

atfrase (879806) | more than 8 years ago | (#14465171)

I don't think it's surprising that a piece of code might behave in an odd way if it's given invalid input, i.e., if a buffer length is wrong.

Again, agreed. But again, the catch is in the particular kind of odd behavior. If I were writing that code and it hit an invalid length, I'd probably abort processing of the whole file, presuming data corruption. Failing that I'd just skip over the flawed block and proceed with processing the next one. In that case, I could imagine not checking the length very carefully and just going to " + " to process the next block -- this would produce the observed "next byte" pointer.

The problem is in the semantics: I said *process* the next block, not *execute* it. If anything this would just cascade into more error cases, since the data that was expected to be the "next block" would almost definitely also have a malformed header (since it wasn't intended to be a header at all), etc.

So, I guess you're right - the tipoff is still that actual code is executed without having to be specifically pointed to (i.e. buffer overrun), and that it's executed in its own thread, rather than taking over the processing thread that was interpreting the metafile in the first place.

Re:Length==1 (1)

AndersOSU (873247) | more than 8 years ago | (#14465169)

Can someone explain to me (or provide a link to information on) how this "key" was discovered? I haven't been following the story, and I'm not really an IT guy but this has piqued my interest

Geeze (0)

Anonymous Coward | more than 8 years ago | (#14464920)

Is Friday the 13th "Tin Foil Hat Day" on /. or what? The number of stories emenating from people that live in caves is unusually high today...

do you mean (4, Interesting)

Anonymous Coward | more than 8 years ago | (#14464925)


This Steve Gibson [grcsucks.com] ?, yeah he is a real security expert, along with his podcast boy wonder we have much to be afraid of

That seems to be the one (2, Informative)

Anonymous Coward | more than 8 years ago | (#14465106)

PJ posted this story over at Groklaw. Many posts replied that, based on this guy's previous record, his accusations are not trustworthy.

Before I believe this story, I want to see independent confirmation by someone I trust.

Ah, nice Ad-Hominem attack in there... (4, Insightful)

Spy der Mann (805235) | more than 8 years ago | (#14465158)

The name means nothing. It's the facts that matter. Whether he is a one-day hacker or some looney, he discovered that for Length==1, (a completely invalid value that makes no sense for WMF's), Windows creates a new thread and starts executing the code.

IMHO your "debunking steve gibson" site is nothing but a smokescreen to divert the attention from Microsoft's vulnerabilities and backdoors.

And this door leads to... (1, Flamebait)

VernonNemitz (581327) | more than 8 years ago | (#14464931)

How about a class-action suit against Microsoft,
on the grounds that they touted the security of their product,
while deliberately including non-security?

Re:And this door leads to... (4, Insightful)

Tebriel (192168) | more than 8 years ago | (#14464995)

A lawsuit is not the answer to everything.

Re:And this door leads to... (1)

BushCheney08 (917605) | more than 8 years ago | (#14465035)

Nevermind that they absolve themselves of any responsibility via the EULA. Then again, let's test the validity of a EULA in court!

Re:And this door leads to... (3, Insightful)

Anonymous Custard (587661) | more than 8 years ago | (#14465162)

"A lawsuit is not the answer to everything."

Since profit is all a corporation cares about, suing away those profits is the only way to punish it.

Re:And this door leads to... (0)

Anonymous Coward | more than 8 years ago | (#14465183)

Contrawise, a lawsuit is the answer to some things.

Anyone remember NSA KEY in the registry? (1, Insightful)

alen (225700) | more than 8 years ago | (#14464937)

Maybe this was for law enforcement or some other agency to track "people of interest."

Gibson (-1, Flamebait)

m_member (771187) | more than 8 years ago | (#14464942)

It's come to this has it, authoritative analysis provided by walrus face himself.

SetAbortProc (3, Informative)

jwegy (775655) | more than 8 years ago | (#14464951)

Yeah, SetAbortProc is used for cancelling print jobs. Here is the MSDN documentation: SetAbortProc [microsoft.com]

Re:SetAbortProc (1)

nolife (233813) | more than 8 years ago | (#14465100)

RTFA, I haven't formed an opinion on the situation yet but the linked article from the story covers what the function is for and there is a possibility that it does not work the way it is supposed to which leads to his theory that it may be a back door.

Re:SetAbortProc (1)

kawika (87069) | more than 8 years ago | (#14465130)

Right, but as TFA says it's not the SetAbortProc API that's at issue here, that API came much later. We're talking about the Escape/SETABORTPROC record that can be put into a WMF. They are two different things.

McDonalds (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14464954)

WTF? It figures that Ronald McDonald would friggen put a backdoor in this Big Mac Microsoft calls an OS. Come on people, when are you gonna realize that there's too much fat in their healthy foods. Healthy foods come from cows and are delivered to your local MickeyD's where they are frozen for future consumption by the proliteriate class. Once all the foods are frozen, the loyal, extremely wealthy McDonald's employees create highly sophisticated utility doors in their crazy ideas. I mean really.

Who cares what Steve Gibson thinks? (0, Flamebait)

chroot_james (833654) | more than 8 years ago | (#14464958)

He's the L Ron Hubbard of the computer industry.

Possible uses? (4, Interesting)

Kitsune78 (941644) | more than 8 years ago | (#14464962)

The freakish thing about this, is that if it is indeed a backdoor, it an odd way to go about it. You can't force someone to try to view a WMF. What would its purpose be? You can't use it to get into the exact box you want to, just into a random box that perhaps picks up your WMF from a webpage, or displayed in an application.

Re:Possible uses? (2, Interesting)

pahoran (893196) | more than 8 years ago | (#14465038)

Looking for terrorists? You don't necessarily know where they are.

Looking for people who have bad things to say about the gov't on their computer? You don't necessarily know where they are.

And let your imagination continue the list ...

Re:Possible uses? (1)

Procyon101 (61366) | more than 8 years ago | (#14465043)

Easter Egg hook

Re:Possible uses? (4, Interesting)

RexRhino (769423) | more than 8 years ago | (#14465058)

Digital Rights Management... If you can control a box using a WMF file, there is all sorts of digital rights management mischieve you can do to prevent a machine from copying a file, or decoding a file, or whatever.

Re:Possible uses? (1)

bricriu (184334) | more than 8 years ago | (#14465128)

... unless you send an email to someone who uses Outlook with the preview pane on, or Hotmail/Yahoo/any other HTML-ized webmal service.

It's not a perfect vector for exploits, but it's not a bad one.

Re:Possible uses? (2, Insightful)

notreallynas (714307) | more than 8 years ago | (#14465152)

It seems to me Microsoft could use it to get into every box using IE that contacts msn.com
That's got to be at least a few.
I imagine they could just turn this [msn.com] into a wmf file and run whatever code they want on millions of PCs.

Re:Possible uses? (0)

Anonymous Coward | more than 8 years ago | (#14465199)

possible uses... hmm... like - and i'm stretching, here - setting up a bunch of randomly distributed proxy servers, quietly (e.g. no massive "worm" traffic to set off alarms, &c.)?

just a thought.

Bugs don't have to be well-coded (2, Interesting)

m50d (797211) | more than 8 years ago | (#14464968)

That's why they're bugs. Seriously, I don't think the fact that it behaves differently from how it does in a printer is any indication it was deliberately written that way. More likely this was an attempt to disable the code that went wrong.

Lawsuit time (5, Interesting)

Animats (122034) | more than 8 years ago | (#14464980)

Someone involved in a WMA-related lawsuit needs to subpoena, from Microsoft, all the source code and all the change control information for this small part of Windows. Then the original programmers need to be found and deposed under oath. This is standard legal procedure for something like this.

It's possible to get to the bottom of this by legal means.

Based on that information (2, Interesting)

Marxist Hacker 42 (638312) | more than 8 years ago | (#14464983)

I think it's a beneficial back door- in fact, I wouldn't be at all surprised to find that they'll need to update "Windows Update" after all the patches are in place.

Magic Lantern? (4, Interesting)

Tackhead (54550) | more than 8 years ago | (#14464985)

Sometimes even a blind squirrel gets a nut.

The notion of a backdoor in Windows isn't new. Perhaps the WMF vulnerability was one of the vectors used by Magic Lantern [wired.com] , which was the code word for at least one of the FBI's keylogger programs. Magic Lantern was notable in that antivirus providers participated with the Feebs in a gentleman's agreement to not look for it.

It's certainly a dumb enough solution that the IT-challenged FBI might go for it.

On relative dumbness and smartness, I'd expect smart spies, namely those who work for two other notable three-letter-agencies, to use somewhat more interesting techniques. If it were me, I'd take advantage of equipment I had in place at critical infrastructure points to conduct MITM attacks between a PC and Windows Update servers, in order to transparently install my spookware on only those machines that specifically identify themselves - by means of GUID or whatever other stuff I could glean from the Windows Genuine Advantage and other DRM-related bitstreams - as belonging to my target population.

Paranoid? If you're not paranoid, you're not thinking far enough ahead.

Steve Gibson is a crackpot (3, Informative)

Sycraft-fu (314770) | more than 8 years ago | (#14464997)

Please remember this is the same Steve Gibson who claims to have invented a new amazing "nanoprobe" technology for port scanning which he claims is a first to the world and can do just about everything. Of course turns out to just be specially crafted TCP packets with no payload, which nmap has done since forever.

The guy is a massive alarmist and I wouldn't take anything he says seriously. He loves to cry about the end of the digital world type scenarios, perhaps because he really believes it, or perhaps because it gets him more business.

Re:Steve Gibson is a crackpot (0)

Anonymous Coward | more than 8 years ago | (#14465133)

Even the boy who cries wolf can end up with a real wolf once in a while, it's worth checking. If bogus, he should get the pounding Microsoft would otherwise receive, if real...Bill better have an asbestos suit, because I'll be with the group using burning tar!

Note: The word in the image is 'tortures' How apropriate!

Re:Steve Gibson is a crackpot (0)

Anonymous Coward | more than 8 years ago | (#14465151)

Not especially informative, merely ad hominem.

Re:Steve Gibson is a crackpot (1)

Hosiah (849792) | more than 8 years ago | (#14465164)

Sorry, charlie. I have memories of you. Gibson may have a reputation. YOUR reputation polishes his and hangs a halo on it!

I entertained doubt about it until you refuted it; now I know for SURE that it's true!

Re:Steve Gibson is a crackpot (4, Interesting)

Moby Cock (771358) | more than 8 years ago | (#14465190)

Normally I'd agree with you. But in this case I think he may have found something very important. This WMF flap stinks to high heaven. The fact that there seems to be a specific and deliberate key (length == 1) is very disturbing. Gibson is a wacko and doomsayer, but today he may have found something valid.

Interesting evidence (3, Insightful)

joshtimmons (241649) | more than 8 years ago | (#14464998)

I agree with the author that the length prefix is something of a smoking gun. It begs the question of "how do we know it was fixed..." For example, they could change it to execute the datastream when length is set to a new trigger value; or a stronger backdoor would ignore any unsigned code. Still there, but harder to test for.

It's a straightforward way to add a backdoor that will bypass firewalls, etc. It can be triggered by a browsed page, email, etc. It's better than gif/jpeg encoding because those are more "platform independent." and the payload would be more likely noticed by a 3rd party decoder.

On the other hand, isn't this flagged as an attempt to execute code on a data page?

Also, if it were official, doesn't MS have easier ways into a general box - say through security updates, or even the entire existing code base?

Re:Interesting evidence (1)

AnotherDaveB (912424) | more than 8 years ago | (#14465076)

Also, if it were official, doesn't MS have easier ways into a general box - say through security updates, or even the entire existing code base?

People will rationalise it anywhichway. Whatever. I predict a bumper year for Red Flag Linux.

Please not Gibson again... (3, Informative)

Anonymous Coward | more than 8 years ago | (#14465000)

Steve Gibson is not a security expert

http://www.grcsucks.com/ [grcsucks.com]

I knew it!! (1)

aztechClanIII (536891) | more than 8 years ago | (#14465022)

M$ is spyware friendly on purpose!! Wow, I always suspected, but now I have proof.

Careful out there.

obligatory Hackers quote (1, Funny)

Anonymous Coward | more than 8 years ago | (#14465032)

"Hack the Gibson!"

They're the same link! (1)

sharpestmarble (875443) | more than 8 years ago | (#14465039)

Did the /. editor(Zonk) not notice that the first link he posted is the same one as the last?

KnockKnock (1)

bricriu (184334) | more than 8 years ago | (#14465050)

Down at the bottom of the transcript, Steve gives GRC.com/securitynow.htm as a URL where you can grab his test code for this problem (KnockKnock.exe)... but I can't find it there. Can anyone else?

Yeah... (4, Informative)

TheAwfulTruth (325623) | more than 8 years ago | (#14465052)

Isn't this the same Steve Gibson that was freaking out about how Raw Sockets in XP were going to destroy the world a couple of years ago?

S.G. is a flaming idiot, he looks for (and imagines) ghosts and spooks in every corner. Then flogs his conspiracy theories to promote himself and his buisness. This probably holds about as much water as the "discovery" of cold fusion and Korean human cloning.

Why aren't we reporting on REAL bugs like the 4 security vulnerabilities found in iTunes this week which opens both Windows and Mac users to external attack? Was the Microsoft bashing quota too low this week?

What is becoming of /.?

Re:Yeah... (0, Insightful)

SalsaDoom (14830) | more than 8 years ago | (#14465180)

You know,

Even if SG is a flaming idiot, that doesn't mean he isn't or can't be right. Even a stopped clock has the right time twice a day, as the saying goes. Crank or not, he could be on the money in this case and since those who have read the article seem to think he is on to something at least worth looking at... it seems ignorant to just dismiss him outright.

This is what is called having an open mind.
--SD

As Eddie Deezen would say... (2, Funny)

east coast (590680) | more than 8 years ago | (#14465070)

I can't believe it, Jim. That girl's standing over there listening and you're telling him about our back doors?

You guys are so dumb, I'd go straight through Falken's Maze.

I just hope David Lightman isn't reading this... we'd only have a few days until it was all over for us...

Reminds me of something... (0)

Anonymous Coward | more than 8 years ago | (#14465073)

This reminds me of something: Somebody finds something that's so strange that it must have been intentional. Anyone else smell something that rhymes with "bintelligent resign?"

Hanlon's Razor... (0)

Anonymous Coward | more than 8 years ago | (#14465074)

Don't attribute to malice anything that can be attributed to stupidity...
 

Patch (3, Insightful)

Paradise Pete (33184) | more than 8 years ago | (#14465107)

If it were intentional you'd think they would have been able to patch it a little more quickly.

Re:Patch (1)

GeneralEmergency (240687) | more than 8 years ago | (#14465159)

No. If it was an intentional back door with a serious national security(?) mandate behind it, then it would take LONGER to patch.

The patch would have to close this door and open ANOTHER.

Who DOCUMENTS their evil backdoor? (4, Insightful)

nweaver (113078) | more than 8 years ago | (#14465118)

Who writes an evil backdoor, which dates back to Win3.1 days (when you didn't NEED an evil back door, and Windows had no clue what this Internet thing was about), and then DOCUMENTS it?

Lest we forget that Wine also proved vulnerable, and it was a clean-reimplementation of the specs!

Re:Who DOCUMENTS their evil backdoor? (1)

Tucan (60206) | more than 8 years ago | (#14465144)

The transcript of the podcast makes the point that this probably did not exist prior to Windows 2000.

Re:Who DOCUMENTS their evil backdoor? (1)

rainwater (530678) | more than 8 years ago | (#14465185)

Who writes an evil backdoor, which dates back to Win3.1 days (when you didn't NEED an evil back door, and Windows had no clue what this Internet thing was about), and then DOCUMENTS it?

Show me where this is documented? If you RTFA you would see that this special case is most definately not documented.

Steve Gibson of GRC? (0)

Anonymous Coward | more than 8 years ago | (#14465119)

/ignore

http://grcsucks.com/ [grcsucks.com]

Courtesy MJOHNSTON (0)

Real World Stuff (561780) | more than 8 years ago | (#14465132)

"It's good to see that this vulnerability is getting some exposure, but this article's synopsis is misleading. It is well known that the WMF vulnerability stems from an intentional feature in the design of WMF that allows code to be embedded into WMF images; this code is executed when the image is viewed. The original purpose of this was mainly to handle the cancellation of print jobs during spooling. This is a feature that has extreme security implications in the context of the Internet, but is from another time (Windows 95), when MS had very little interest in networking beyond trusted internal corporate environments. Over the years this code has lived on in Windows without being reviewed in the current context of Internet connectivity. Never ascribe to malice that which can be explained by incompetence. See http://en.wikipedia.org/wiki/2005_WMF_vulnerabilit y [wikipedia.org] for a lot more detail.

I don't mean to make an ad hominem attack (this podcast is actually fairly accurate), but Steve isn't exactly known for being a respected researcher in the security industry - he's a bit of a poser. He frequently hypes issues to crazy levels and tries to make himself look like a hero/expert. In fact, he usually offers little insight and often tries to pass off regurgitation (often inaccurate) as original research. Just listen to him in this recording talking about "rolling up his sleeves" and "wrote all my own code", etc - trying to sound like he substantially contributed to the security industry. Look up his stuff on nano-probes (http://grc.com/np/np.htm [grc.com] ) for some really ridiculous stuff. I am a security professional and can tell you that it's mostly BS and/or hyped/obfuscated wording for technologies and techniques that have been in common usage for years and years before he wrote this crap.

Much better resources and much more insightful experts are accessible. Try http://www.schneier.com/blog/ [schneier.com] and http://isc.sans.org/diary.php [sans.org] for FAR more interesting information. No one I know or work with pays any attention to Steve Gibson, except as a source of humor. :)"

Damn you NSA! (0)

Anonymous Coward | more than 8 years ago | (#14465147)

Damn you to hell!!!

Now a cool tool would be... (1)

thewils (463314) | more than 8 years ago | (#14465168)

...one that would search for WMFs that are set up to trigger the Backdoor. Do they exist? Are they on some shady Russian site, or are they on sites run by MS or Govt. agencies?

A VERY long jump to a Conclusion (1)

Limecron (206141) | more than 8 years ago | (#14465181)

It seems way more likely that some idiot MS-programmer put this in there so he could show his buddies: Hey look what this WMF file can do... and then forgot about it completely.

An essentially non-authenicated exploit which can only be activated by accessing a WMF file (what user or system does that on a reliable basis) would only look like a "backdoor" to a conspiracy theorist (read: Steve Gibson).

Yeah, it's fun to think just how evil Microsoft really is, but I really doubt this is an example of it.

Also, backdoors would be by definition "intentional", no? Just an attempt to make it sound more evil.

This guy is a moron. (4, Informative)

gregarican (694358) | more than 8 years ago | (#14465186)

I browsed over several posts on his website and come away with the conclusion that he is a few fries short of a Happy Meal. Here's one posting that I found really amusing:

"Thank you Microsoft for blessing us with a patch to fix the products
you currently sell. The products that compete with Linux and Macintosh.
Excellent job at diverting the our attention away from the fact that
Windows 95, Windows 98, Windows 98SE, Windows Millennium Edition, and
Windows NT4 remain vulnerable. Neat trick convincing people that "the
vulnerability is not critical because an exploitable attack vector has
not been identified that would yield a Critical severity rating for
these versions."

Lemme see here. Windows 95 is 11 years old. Windows 98 is 8 years old. Windows ME is 6 years old. And Windows NT4 is 9 years old. How many other operating systems offer patches and support product versions for software that is that old?

Ridiculous.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>