WMF vulnerability not an accident? Was it an intentional backdoor?



I’m not quite sure if I’m willing to attribute to design, what I could attribute to a mistake… but, slashdot has pointed out that Steve Gibson in his latest Security Now! podcast (link is to transcript), is suggesting that it appears as though the WMF vulnerability of recent weeks appears (to him) to have been INTENTIONALLY included as a means of a remote backdoor.


Basically, he was in process of designing a test for the vulnerability with hopes of fixing it for the versions of Windows that it is “not critical” for… what he found was very interesting. The setAbortProc, first has no business being involved with wmf rendering. So, from his transcript…

each record in a metafile begins with a four-byte length, followed by a two-byte function number. So in other words, each metafile record has six bytes minimum that it can possibly be in size. Oh, and since the size is in words, the smallest possible size for a metafile record would be three words long, or six bytes. Look, the reason I had problems making this exploit happen initially is I was setting the length correctly. It turns out that the only way to get Windows to misbehave in this bizarre fashion is to set the length to one, which is an impossible value. I tried setting it to zero. It didn’t trigger the exploit. I tried setting it to two, no effect. Three, no effect. Nothing, not even the correct length. Only one.

Like, I say, I’m not sure whether to chalk it up to a designed trigger for a backdoor, or just… “oh I never imagined someone would try setting it to one…” but, it wouldn’t be THAT shocking if it is a trigger for a backdoor. If you believe some, there are many other hidden backdoors in Windows. Given that Windows is closed source, well, we really can’t technically know about any backdoors can we?

Anyway, he’s researching the issue further and expects to have an update in next weeks podcast. At this point though, I suspect there is no way we could know for sure whether it was there intentionally or not, we can only guess. He did make the point that there have been other WMF vulnerabilities and they recently stopped EVERYTHING they were doing at Microsoft and went through a massive security audit of their code, which he suggests, given past experience should have included a thorough look at WMF related items. He suggests that this should have showed up in that review. It’ll be interesting to see what he has to say next week and what other folks have to say about this.

Related Posts

Blog Traffic Exchange Related Posts
  • Zero-day ( 0-day) Microsoft Word exploit There was some news on this last night at Incidents.org, today F-secure has some details as well on the trojan that's dropped in this circulating, exploit. It seems as though the initial attack was very targetted against a specific organization. Antivirus packages did not recognize the trojan that the exploit......
  • Vista's fatal flaw? Backwards compatibility. It's something that many vendors strive for and Microsoft is certainly one that has placed a value on making things backwards compatible for third party software. According to this story at Sci-Tech Today, Symantec thinks this eagerness to be backwards compatible may be a big issue for Vista's......
  • Windows 2000 Worm vulnerability Apparently, there is an unpatched vulnerability in Windows 2000 that could open the door for a network worm. The details have not been released to give Microsoft time to deal with a patch. (Microsoft is drawing down support commitments to 2000, releasing a batch of updates just before their timeline......
Blog Traffic Exchange Related Websites
  • Why You Need a Good Home Security System There are many unexpected things which can happen these days. The world can seem pretty cruel at times. This is when you want to be able to come home and feel safe. After all, your home is a place where you want to be able to feel your best......
  • Microsoft Security Bulletin MS10-046 - Critical Microsoft Security Bulletin MS10-046 - Critical Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198) Published: August 02, 2010¬†|¬†Updated: August 03, 2010 Version: 1.1 General Information Executive Summary This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon......
  • Microsoft Security Bulletin Summary for September 2010 - Issued: September 14, 2010 ******************************************************************** Microsoft Security Bulletin Summary for September 2010 Issued: September 14, 2010 ******************************************************************** This bulletin summary lists security bulletins released for September 2010. The full version of the Microsoft Security Bulletin Summary for September 2010 can be found at http://www.microsoft.com/technet/security/bulletin/ms10-sep.mspx. With the release of the bulletins for September 2010, this......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site