Log in

No account? Create an account
13 January 2006 @ 09:50 am
Windows Metafile backdoor  
Listening to the Security Now! podcast, I just heard Steve Gibson claim that the WMF exploit is in fact a back door put in by somebody at Microsoft. Of course, it's not clear whether this was "official" Microsoft action or a "rogue programmer".

It'll be interesting to see if further evidence supports this hypothesis.
Stupendous Manfarmalloc on January 13th, 2006 06:33 pm (UTC)
I asked a guy I know that works in IE "Was this recent WMF metafile exploit a back door that someone put in the code or what"

His response:

Backdoor my ass. No F’in way. This backdoor crap comes from Steve Gibson of Gibson research, (google for him). He is a total attention monger and is a well known dip shit in the security world. Total idiot.

It wasn’t a back door, it was intended functionality for printing device contexts that was repurposed to run code. It was certainly a _very_dumb_ feature but it wasn’t a backdoor. Gibson is a total dickhead.
St. Sean the Amusedseanb on January 13th, 2006 07:04 pm (UTC)
If WIndows was actually just following the SETABORTPROC instruction, I would agree with the IE guy. Unfortunately, that doesn't seem to be the case: a combination of nonsense instructions is apparently causing windows to create a thread and start executing MWF records as arbitrary code. There is a big difference between parsing WMF records and executing CPU code.

I can see ways that combining a bad checksum length with an invalid SETABORTPROC might result in pointer wierdness that leads to executing code within a file, but it seems ludicrous enough that the intentional backdoor explanation is still plausible. It is definitely behavior different from "intended functionality".


The claim is worth noting, and I am not entirely convinced that it is incorrect.
Stupendous Manfarmalloc on January 13th, 2006 07:16 pm (UTC)
My man has a technical writeup about it that he is going to send me. If it isn't confidential and you are interested I will send it your way. If it is I will see what I can digest and if there is any insight I will pass it along.