WMF vulnerability not an accident? Was it an intentional backdoor?



I’m not quite sure if I’m willing to attribute to design, what I could attribute to a mistake… but, slashdot has pointed out that Steve Gibson in his latest Security Now! podcast (link is to transcript), is suggesting that it appears as though the WMF vulnerability of recent weeks appears (to him) to have been INTENTIONALLY included as a means of a remote backdoor.


Basically, he was in process of designing a test for the vulnerability with hopes of fixing it for the versions of Windows that it is “not critical” for… what he found was very interesting. The setAbortProc, first has no business being involved with wmf rendering. So, from his transcript…

each record in a metafile begins with a four-byte length, followed by a two-byte function number. So in other words, each metafile record has six bytes minimum that it can possibly be in size. Oh, and since the size is in words, the smallest possible size for a metafile record would be three words long, or six bytes. Look, the reason I had problems making this exploit happen initially is I was setting the length correctly. It turns out that the only way to get Windows to misbehave in this bizarre fashion is to set the length to one, which is an impossible value. I tried setting it to zero. It didn’t trigger the exploit. I tried setting it to two, no effect. Three, no effect. Nothing, not even the correct length. Only one.

Like, I say, I’m not sure whether to chalk it up to a designed trigger for a backdoor, or just… “oh I never imagined someone would try setting it to one…” but, it wouldn’t be THAT shocking if it is a trigger for a backdoor. If you believe some, there are many other hidden backdoors in Windows. Given that Windows is closed source, well, we really can’t technically know about any backdoors can we?

Anyway, he’s researching the issue further and expects to have an update in next weeks podcast. At this point though, I suspect there is no way we could know for sure whether it was there intentionally or not, we can only guess. He did make the point that there have been other WMF vulnerabilities and they recently stopped EVERYTHING they were doing at Microsoft and went through a massive security audit of their code, which he suggests, given past experience should have included a thorough look at WMF related items. He suggests that this should have showed up in that review. It’ll be interesting to see what he has to say next week and what other folks have to say about this.

Related Posts

Blog Traffic Exchange Related Posts
  • Update on the Internet Explorer VML vulnerability Just catching up on the days VML vulnerability news from today.... It looks as though... the exploit is now MUCH more widespread this blog has some video of an infection, what's notable is that the first take was VERY UNEVENTFUL, it was used to stealthily install a keylogger. (So that......
  • Microsoft was aware of the WMF vulnerability "for years" Bugtraq has an interesting post which picks up on a note in Stephen Toulouse's latest entry on the WMF vulnerability. When I first read the post I was more interested in the way he was responding to allegations of the flaw being an intentional backdoor, but the above bugtraq post......
  • Blackberry vulnerability to be released soon Between the Lines is warning that Blackberry Enterprise servers ought to be placed in the DMZ (if not already.) There is word that a critical vulnerability will be announced on August 14th. (And if we already know that's coming then SOMEONE knows what that vulnerability is.) It basically uses software......
Blog Traffic Exchange Related Websites
  • Microsoft Security Bulletin Summary for July 2010 MS10-042 - Vulnerability in Help and SupportCenter Could Allow Remote Code Execution (2229593) "This security update resolves a publicly disclosed vulnerability in the Windows Help and Support Center feature that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if......
  • How to Say I Love You (Part 1) It's important not only to feel loved but to be able to share your feelings with others. When it comes to "I love you," too often we gloss over these important words or don't say them at all. In a world where socialization is now dominated by digital communication we're......
  • Top-Ranked Players Advance to Quarter-Finals at Australian Open At the Rod Laver Arena in Melbourne, Andy Roddick defeated Fernando Gonzales on Sunday to secure his spot in the Australian Open quarter-finals.  They battled for over three-and-a-half hours until Gonzalez double-faulted around 1 a.m. The match saw Roddick struggling at times, and again clashing with a chair umpire. This......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site