WMF vulnerability not an accident? Was it an intentional backdoor?



I’m not quite sure if I’m willing to attribute to design, what I could attribute to a mistake… but, slashdot has pointed out that Steve Gibson in his latest Security Now! podcast (link is to transcript), is suggesting that it appears as though the WMF vulnerability of recent weeks appears (to him) to have been INTENTIONALLY included as a means of a remote backdoor.


Basically, he was in process of designing a test for the vulnerability with hopes of fixing it for the versions of Windows that it is “not critical” for… what he found was very interesting. The setAbortProc, first has no business being involved with wmf rendering. So, from his transcript…

each record in a metafile begins with a four-byte length, followed by a two-byte function number. So in other words, each metafile record has six bytes minimum that it can possibly be in size. Oh, and since the size is in words, the smallest possible size for a metafile record would be three words long, or six bytes. Look, the reason I had problems making this exploit happen initially is I was setting the length correctly. It turns out that the only way to get Windows to misbehave in this bizarre fashion is to set the length to one, which is an impossible value. I tried setting it to zero. It didn’t trigger the exploit. I tried setting it to two, no effect. Three, no effect. Nothing, not even the correct length. Only one.

Like, I say, I’m not sure whether to chalk it up to a designed trigger for a backdoor, or just… “oh I never imagined someone would try setting it to one…” but, it wouldn’t be THAT shocking if it is a trigger for a backdoor. If you believe some, there are many other hidden backdoors in Windows. Given that Windows is closed source, well, we really can’t technically know about any backdoors can we?

Anyway, he’s researching the issue further and expects to have an update in next weeks podcast. At this point though, I suspect there is no way we could know for sure whether it was there intentionally or not, we can only guess. He did make the point that there have been other WMF vulnerabilities and they recently stopped EVERYTHING they were doing at Microsoft and went through a massive security audit of their code, which he suggests, given past experience should have included a thorough look at WMF related items. He suggests that this should have showed up in that review. It’ll be interesting to see what he has to say next week and what other folks have to say about this.

Related Posts

Blog Traffic Exchange Related Posts
  • WMF exploit testing on Windows 98 I had hoped to get in another test of Windows 98 with yet another WMF viewer (tried Kodak imaging, and irfanview). So far I haven't seen a way that the WMF exploits can work on Windows 98 SE. I'm running out of time before I have to run to some......
  • Zero-day ( 0-day) Microsoft Word exploit There was some news on this last night at Incidents.org, today F-secure has some details as well on the trojan that's dropped in this circulating, exploit. It seems as though the initial attack was very targetted against a specific organization. Antivirus packages did not recognize the trojan that the exploit......
  • Windows 2000 Worm vulnerability Apparently, there is an unpatched vulnerability in Windows 2000 that could open the door for a network worm. The details have not been released to give Microsoft time to deal with a patch. (Microsoft is drawing down support commitments to 2000, releasing a batch of updates just before their timeline......
Blog Traffic Exchange Related Websites
  • Microsoft Security Bulletin Summary for July 2010 MS10-042 - Vulnerability in Help and SupportCenter Could Allow Remote Code Execution (2229593) "This security update resolves a publicly disclosed vulnerability in the Windows Help and Support Center feature that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if......
  • Top-Ranked Players Advance to Quarter-Finals at Australian Open At the Rod Laver Arena in Melbourne, Andy Roddick defeated Fernando Gonzales on Sunday to secure his spot in the Australian Open quarter-finals.  They battled for over three-and-a-half hours until Gonzalez double-faulted around 1 a.m. The match saw Roddick struggling at times, and again clashing with a chair umpire. This......
  • Why You Need a Good Home Security System There are many unexpected things which can happen these days. The world can seem pretty cruel at times. This is when you want to be able to come home and feel safe. After all, your home is a place where you want to be able to feel your best......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site