Sigh, now I’m getting tons of email saying “how are you gonna explain that Microsoft left a back door that resulted in the WMF exploit?”
So, I sent those over to Stephen Toulouse and said “can you get the details on this claim?” He just posted that on his blog.
Scobleizer 
I’ve never been a fan of Steve Gibson’s somewhat irresponsible ‘conclusions’. To say the evidence for a backdoor is “quite compelling” is one thing, but to later state clearly (and more than once) that Microsoft “intentionally put a backdoor in Windows” is, well… you really shouldn’t be taking flak for this Robert!
Thanks for the link to Stephen’s post btw, v. interesting.
LikeLike
I’ve never been a fan of Steve Gibson’s somewhat irresponsible ‘conclusions’. To say the evidence for a backdoor is “quite compelling” is one thing, but to later state clearly (and more than once) that Microsoft “intentionally put a backdoor in Windows” is, well… you really shouldn’t be taking flak for this Robert!
Thanks for the link to Stephen’s post btw, v. interesting.
LikeLike
Mr. Potato Head? Mr. Potato Head? Back doors are not secrets!
I think it is possible, but not likely. Mr. Gibson can be a little paranoid. That’s his job.
LikeLike
Mr. Potato Head? Mr. Potato Head? Back doors are not secrets!
I think it is possible, but not likely. Mr. Gibson can be a little paranoid. That’s his job.
LikeLike
Well it was really done because customers were asking tons of questions about it. Really the assertion by some people that there would be an intentional back door inserted into Windows which could only be used by first convincing the user to visit a website is pretty funny on the face of it. But hey letting people know the background is good too. People like to learn the same lessons we learn about software vulnerabilities so I hope you guys found it interesting.
S.
LikeLike
Well it was really done because customers were asking tons of questions about it. Really the assertion by some people that there would be an intentional back door inserted into Windows which could only be used by first convincing the user to visit a website is pretty funny on the face of it. But hey letting people know the background is good too. People like to learn the same lessons we learn about software vulnerabilities so I hope you guys found it interesting.
S.
LikeLike
I for one, do not believe that MS intentionally put a backdoor in WMF. As the old saying goes, “Never attribute to malice, what can be adequately explained by stupidity”.
All the WMF issues are due to plain old incompetence.
LikeLike
I for one, do not believe that MS intentionally put a backdoor in WMF. As the old saying goes, “Never attribute to malice, what can be adequately explained by stupidity”.
All the WMF issues are due to plain old incompetence.
LikeLike
Well, if Microsoft wanted a backdoor, would they have made it such that:
a) didn’t require user interaction (opening webpage or image)
b) not part of a public API
c) make it targetable (pick an IP instead of indiscriminate)
Hmm, screw that, conspiracy theories are much more fun! UFOs power MacOSX! Steve Jobs is an android powered by pure evil! Walt Disney was the antichrist!
LikeLike
Well, if Microsoft wanted a backdoor, would they have made it such that:
a) didn’t require user interaction (opening webpage or image)
b) not part of a public API
c) make it targetable (pick an IP instead of indiscriminate)
Hmm, screw that, conspiracy theories are much more fun! UFOs power MacOSX! Steve Jobs is an android powered by pure evil! Walt Disney was the antichrist!
LikeLike
Well it appears that this exact same flaw appears in the Wine implementation, which was written from the specs without access to the Windows source code – so did the Wine guys put the backdoor in as well?
Pure nonsense ..
LikeLike
Well it appears that this exact same flaw appears in the Wine implementation, which was written from the specs without access to the Windows source code – so did the Wine guys put the backdoor in as well?
Pure nonsense ..
LikeLike
I listened to Steve Gibson and Macfanboy Leo Laporte’s
podcast, I think he was reaching a little .
LikeLike
I listened to Steve Gibson and Macfanboy Leo Laporte’s
podcast, I think he was reaching a little .
LikeLike
It explains it well (and, for the first time, why legacy systems are not getting patched), but not how the vulnerability was missed by SP2. That’s still cause for concern.
LikeLike
It explains it well (and, for the first time, why legacy systems are not getting patched), but not how the vulnerability was missed by SP2. That’s still cause for concern.
LikeLike
WMF? I use it for cooking (www.wmf.com) LOL
LikeLike
WMF? I use it for cooking (www.wmf.com) LOL
LikeLike
It is amazing that you can find the same comments in every site that talks about this. First, the attack on Steve Gibson, with similar language. Second, the Wine argument, which is bogus, Wine tries to implement the features of Windows the best it can. It has to imitate behaviour! Finally, none of the comments answer the real concerns that Steve Gibson presented. He even answered them on his site…
LikeLike
It is amazing that you can find the same comments in every site that talks about this. First, the attack on Steve Gibson, with similar language. Second, the Wine argument, which is bogus, Wine tries to implement the features of Windows the best it can. It has to imitate behaviour! Finally, none of the comments answer the real concerns that Steve Gibson presented. He even answered them on his site…
LikeLike
Even more surprising is that the linked article by Stephen Toulouse doesn’t address the main concerns that Gibson brought up, namely that there is nothing useful you can do in the lonely thread that is spawned by this “feature” (you don’t have access to the DC of the metafile) and that the function does not work the way Stephen describes. The only reason Gibson found this was by trying to force the behavior to happen, and none of the “official” explanations worked.
Since the 13th, when Gibson’s podcast aired, this has been the only response from MS. It would appear that a technically competent rebuttal is in order.
Has someone come along and documented that Gibson’s findings (that the only way to trigger malicious code is by setting the file length to 1, and that the value of SetAbortProc doesn’t matter since the code that will be executed is immediately following the header)? Has anyone rebutted them?
I’ll be the first to admit that Gibson has an ego the size of Montana (or at least San Diego), but silence on this does not do MS any good, and this appears to be something difficult to “evangelize” away, given all the security reviews that this code should have received enroute to XP SP2, and Vista. (Unless by “code review” they mean checking the filenames.)
Tim
LikeLike
Even more surprising is that the linked article by Stephen Toulouse doesn’t address the main concerns that Gibson brought up, namely that there is nothing useful you can do in the lonely thread that is spawned by this “feature” (you don’t have access to the DC of the metafile) and that the function does not work the way Stephen describes. The only reason Gibson found this was by trying to force the behavior to happen, and none of the “official” explanations worked.
Since the 13th, when Gibson’s podcast aired, this has been the only response from MS. It would appear that a technically competent rebuttal is in order.
Has someone come along and documented that Gibson’s findings (that the only way to trigger malicious code is by setting the file length to 1, and that the value of SetAbortProc doesn’t matter since the code that will be executed is immediately following the header)? Has anyone rebutted them?
I’ll be the first to admit that Gibson has an ego the size of Montana (or at least San Diego), but silence on this does not do MS any good, and this appears to be something difficult to “evangelize” away, given all the security reviews that this code should have received enroute to XP SP2, and Vista. (Unless by “code review” they mean checking the filenames.)
Tim
LikeLike
Regarding the ‘you have to go to a particular website’ argument, an appropriately crafted email indistinguishable from any other spam would likely do the trick, if it is viewed in Outlook.
LikeLike
Regarding the ‘you have to go to a particular website’ argument, an appropriately crafted email indistinguishable from any other spam would likely do the trick, if it is viewed in Outlook.
LikeLike
I didn’t realize people still used Outlook
LikeLike
I didn’t realize people still used Outlook
LikeLike