WMF vulnerability not an accident? Was it an intentional backdoor?



I’m not quite sure if I’m willing to attribute to design, what I could attribute to a mistake… but, slashdot has pointed out that Steve Gibson in his latest Security Now! podcast (link is to transcript), is suggesting that it appears as though the WMF vulnerability of recent weeks appears (to him) to have been INTENTIONALLY included as a means of a remote backdoor.


Basically, he was in process of designing a test for the vulnerability with hopes of fixing it for the versions of Windows that it is “not critical” for… what he found was very interesting. The setAbortProc, first has no business being involved with wmf rendering. So, from his transcript…

each record in a metafile begins with a four-byte length, followed by a two-byte function number. So in other words, each metafile record has six bytes minimum that it can possibly be in size. Oh, and since the size is in words, the smallest possible size for a metafile record would be three words long, or six bytes. Look, the reason I had problems making this exploit happen initially is I was setting the length correctly. It turns out that the only way to get Windows to misbehave in this bizarre fashion is to set the length to one, which is an impossible value. I tried setting it to zero. It didn’t trigger the exploit. I tried setting it to two, no effect. Three, no effect. Nothing, not even the correct length. Only one.

Like, I say, I’m not sure whether to chalk it up to a designed trigger for a backdoor, or just… “oh I never imagined someone would try setting it to one…” but, it wouldn’t be THAT shocking if it is a trigger for a backdoor. If you believe some, there are many other hidden backdoors in Windows. Given that Windows is closed source, well, we really can’t technically know about any backdoors can we?

Anyway, he’s researching the issue further and expects to have an update in next weeks podcast. At this point though, I suspect there is no way we could know for sure whether it was there intentionally or not, we can only guess. He did make the point that there have been other WMF vulnerabilities and they recently stopped EVERYTHING they were doing at Microsoft and went through a massive security audit of their code, which he suggests, given past experience should have included a thorough look at WMF related items. He suggests that this should have showed up in that review. It’ll be interesting to see what he has to say next week and what other folks have to say about this.

Related Posts

Blog Traffic Exchange Related Posts
  • Flightgear multi platform open source flight simulator revisited Ok - I was thinking I might have been a bit too dismissive of flightgear. So, I took a second look (and a third and fourth.) In fact, I found a source rpm of the 0.99 version and rebuilt it for Mandriva 2006 and installed. And went in search of......
  • Vista's fatal flaw? Backwards compatibility. It's something that many vendors strive for and Microsoft is certainly one that has placed a value on making things backwards compatible for third party software. According to this story at Sci-Tech Today, Symantec thinks this eagerness to be backwards compatible may be a big issue for Vista's......
  • Lynx web browser vulnerability Incidents.org is reporting on an advisory for users of lynx. For those of you that don't know lynx, it is a text based web browser used in text only terminal environments. I've used lynx from time to time to see what websites look like to a text only reader to......
Blog Traffic Exchange Related Websites
  • Home Based Internet Marketing - Powerful Tactics The "Gurus" Will Never Disclose: (function() {var s = document.createElement('SCRIPT'), s1 = document.getElementsByTagName('SCRIPT')[0];s.type = 'text/javascript';s.async = true;s.src = 'http://widgets.digg.com/buttons.js';s1.parentNode.insertBefore(s, s1);})(); 11Digg Digg (function() {var s = document.createElement(‘SCRIPT’), s1 = document.getElementsByTagName(‘SCRIPT’)[0];s.type = ‘text/javascript’;s.async = true;s.src = ‘http://widgets.digg.com/buttons.js’;s1.parentNode.insertBefore(s, s1);})(); 11 Digg Digg (function() {var s = document.createElement(‘SCRIPT’), s1 = document.getElementsByTagName(‘SCRIPT’)[0];s.type = ‘text/javascript’;s.async = true;s.src = ‘http://widgets.digg.com/buttons.js’;s1.parentNode.insertBefore(s, s1);})();......
  • Microsoft Security Bulletin MS10-046 - Critical Microsoft Security Bulletin MS10-046 - Critical Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198) Published: August 02, 2010¬†|¬†Updated: August 03, 2010 Version: 1.1 General Information Executive Summary This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon......
  • Microsoft Security Bulletin Summary for July 2010 MS10-042 - Vulnerability in Help and SupportCenter Could Allow Remote Code Execution (2229593) "This security update resolves a publicly disclosed vulnerability in the Windows Help and Support Center feature that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site