WMF vulnerability not an accident? Was it an intentional backdoor?



I’m not quite sure if I’m willing to attribute to design, what I could attribute to a mistake… but, slashdot has pointed out that Steve Gibson in his latest Security Now! podcast (link is to transcript), is suggesting that it appears as though the WMF vulnerability of recent weeks appears (to him) to have been INTENTIONALLY included as a means of a remote backdoor.


Basically, he was in process of designing a test for the vulnerability with hopes of fixing it for the versions of Windows that it is “not critical” for… what he found was very interesting. The setAbortProc, first has no business being involved with wmf rendering. So, from his transcript…

each record in a metafile begins with a four-byte length, followed by a two-byte function number. So in other words, each metafile record has six bytes minimum that it can possibly be in size. Oh, and since the size is in words, the smallest possible size for a metafile record would be three words long, or six bytes. Look, the reason I had problems making this exploit happen initially is I was setting the length correctly. It turns out that the only way to get Windows to misbehave in this bizarre fashion is to set the length to one, which is an impossible value. I tried setting it to zero. It didn’t trigger the exploit. I tried setting it to two, no effect. Three, no effect. Nothing, not even the correct length. Only one.

Like, I say, I’m not sure whether to chalk it up to a designed trigger for a backdoor, or just… “oh I never imagined someone would try setting it to one…” but, it wouldn’t be THAT shocking if it is a trigger for a backdoor. If you believe some, there are many other hidden backdoors in Windows. Given that Windows is closed source, well, we really can’t technically know about any backdoors can we?

Anyway, he’s researching the issue further and expects to have an update in next weeks podcast. At this point though, I suspect there is no way we could know for sure whether it was there intentionally or not, we can only guess. He did make the point that there have been other WMF vulnerabilities and they recently stopped EVERYTHING they were doing at Microsoft and went through a massive security audit of their code, which he suggests, given past experience should have included a thorough look at WMF related items. He suggests that this should have showed up in that review. It’ll be interesting to see what he has to say next week and what other folks have to say about this.

Related Posts

Blog Traffic Exchange Related Posts
  • Microsoft was aware of the WMF vulnerability "for years" Bugtraq has an interesting post which picks up on a note in Stephen Toulouse's latest entry on the WMF vulnerability. When I first read the post I was more interested in the way he was responding to allegations of the flaw being an intentional backdoor, but the above bugtraq post......
  • WMF exploit testing on Windows 98 I had hoped to get in another test of Windows 98 with yet another WMF viewer (tried Kodak imaging, and irfanview). So far I haven't seen a way that the WMF exploits can work on Windows 98 SE. I'm running out of time before I have to run to some......
  • Vista's fatal flaw? Backwards compatibility. It's something that many vendors strive for and Microsoft is certainly one that has placed a value on making things backwards compatible for third party software. According to this story at Sci-Tech Today, Symantec thinks this eagerness to be backwards compatible may be a big issue for Vista's......
Blog Traffic Exchange Related Websites
  • Microsoft Security Bulletin Summary for September 2010 - Issued: September 14, 2010 ******************************************************************** Microsoft Security Bulletin Summary for September 2010 Issued: September 14, 2010 ******************************************************************** This bulletin summary lists security bulletins released for September 2010. The full version of the Microsoft Security Bulletin Summary for September 2010 can be found at http://www.microsoft.com/technet/security/bulletin/ms10-sep.mspx. With the release of the bulletins for September 2010, this......
  • Top-Ranked Players Advance to Quarter-Finals at Australian Open At the Rod Laver Arena in Melbourne, Andy Roddick defeated Fernando Gonzales on Sunday to secure his spot in the Australian Open quarter-finals.  They battled for over three-and-a-half hours until Gonzalez double-faulted around 1 a.m. The match saw Roddick struggling at times, and again clashing with a chair umpire. This......
  • Microsoft Security Bulletin MS10-046 - Critical Microsoft Security Bulletin MS10-046 - Critical Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198) Published: August 02, 2010 | Updated: August 03, 2010 Version: 1.1 General Information Executive Summary This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site