MS responds to “intentional backdoor”, WMF claim



Microsoft is disputing claims by Steve Gibson, that the WMF vulnerability was an intentionally placed backdoor. There is a response to the claims in the Microsoft Security Incident Response blog. Apparently since the SetAbortProc procedure relates to printing, previous versions of Windows ignored the call unless printing was involved. (Why did windows start paying attention to it otherwise?)


Among other things….

It can run into the vulnerability when converting a raw WMF to a printable EMF

Which does start to make sense in a way…. When IE opens a wmf in Windows Picture and Fax viewer (in XP/2000) it converts it from a raw WMF to a printable EMF… that explains a bit more on how this works. For details on the difficulty that Steve Gibson ran into with triggering the vulnerability…

Now, there’s been some speculation that you can only trigger this by using an incorrect size in your metafile record and that this trigger was somehow intentional. That speculation is wrong on both counts. The vulnerability can be triggered with correct or incorrect size values. If you are seeing that you can only trigger it with an incorrect value, it’s probably because your SetAbortProc record is the last record in the metafile. The way this functionality works is by registering the callback to be called after the next metafile record is played. If the SetAbortProc record is the last record in the metafile, it will be more difficult to trigger the vulnerability.

And an explanation of why the problem on Win9x is not “critical”…

The reason Windows 9x is not vulnerable to a “Critical” attack vector is because an additional step exists in the Win9x platform: When not printing to a printer, applications will simply never process the SetAbortProc record. Although the vulnerable code does exist in the Win9x platform, all “Critical” attack vectors are blocked by this additional step. The remaining attack vectors that we have identified require extensive user interaction and are not rated “Critical”. Again the “Critical” rating refers to code execution attacks that could result in automated attacks requiring little or no user interaction.

Good explanations and response to the charges from what I can see. It’s more than the response I expected from Microsoft. Frankly it’s somewhat refreshing to see them talking so candidly about a(n already patched) vulnerability and how it works.

Related Posts

Blog Traffic Exchange Related Posts
  • Version 2 of the WMF exploit vs Windows 98 SE Ok, I wasn't quite satisfied with the results of the tests against the first version of the WMF (Windows Metafile) zero day exploit that's now up to 4 or 5 days or so... Windows 98 is listed as being vulnerable, but there are no patches or workarounds currently available for......
  • So who is behind Windows Police Pro Virus / Rogue Security Software? As I've seen the continuing FLOOD of searches for some way to Remove Windows Police Pro, I've been starting to wonder at the who is behind this particular piece of junk software. These programs aren't written by your average ordinary virus writer, there is really too much spit and polish......
  • How to Remove PCSProtector | PCSProtector Removal Guide PCSProtector is a rogue antivirus application from the winisoft family of rogues. They are essentially clones of each other and all resemble each other with the minor modification of the name of the rogue and it's files. These rogues are typically distributed by trojan horse activity as well as malware......
Blog Traffic Exchange Related Websites
  • Microsoft Security Bulletin MS10-046 - Critical Microsoft Security Bulletin MS10-046 - Critical Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198) Published: August 02, 2010 | Updated: August 03, 2010 Version: 1.1 General Information Executive Summary This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon......
  • Microsoft reveals Six Windows 7 Editions Microsoft has announced that the upcoming Windows 7 will boast of six editions - Starter, Basic, Home Premium, Professional, Ultimate and Enterprise. But unlike Windows Vista, upgrading to a higher, more featured version will not result in loss of existing features from the lower version. Also Windows 7 is designed......
  • Microsoft Plans Emergency Windows Patch for Monday August 2nd Microsoft stated they will issue an emergency patch for the critical Windows shortcut bug on Monday, Aug. 2.  The patch is set to be released on Monday at around 10 a.m. California time.  The news of this vulnerability surfaced 2 weeks ago and with an of attackers trying to exploit this......
en.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site