Security Expert Steve Gibson Says Microsoft Intentionally Put a Backdoor in Windows 2000 and XP. Film at 11.Transcript and PodCast mp3s:

http://www.grc.com/sn/SN-022.htm

There've been a number of them to date, but usually they're common knowledge, like Windows Messenger.....this one sounds a little more, shall we say, planned?

Indeed. It'll be interesting to see how this one develops ...

Design Flaw.... :confused:
or
By Design.... :eek:

:( Disheartening, to say the least....

It's a "Feature" ... yeah, that's it! A Feature...

Like Steve Gibson says though, "We will never have proof one way or the other because we will never know for sure what Microsoft's intentions were."

Looks like the proverbial $hit is already starting to hit the fan ...

http://news.google.com/news?hl=en&ned=us&q=%22steve+gibson%22&btnG=Search+News

Abhoth
You are probably right...that's the spin they'll put on it. :rolleyes:

I read something about this the other day, I wish I could find the link to it. The .wmf file type was designed a long time ago, and this flaw was indeed coded in deliberately, apparently. But not to make a "backdoor" or for any other nefarious reason, it was to add functionality to WMF's that couldn't be done any other way at the time.

It's pretty typical of Steve Gibson to see it all as some great conspiracy :rolleyes:

Found it:

When WMF files were designed in the late 1980s, a feature was included that allowed the image files to contain computer code that could be executed on a PC, said Mikko Hypponen, chief research officer at Finnish security company F-Secure.

"This was not a bug; this was something that was needed at the time," Hypponen said. "It is just bad design, design from another era." The graphics file format was introduced with Windows 3.0 in early 1990. Executable code in the image file could help abort the processing of large images on the slow systems of yesteryear, security experts said.

http://news.com.com/Microsoft+to+hunt+for+new+species+of+Windows+bug/2100-1002-6024778.html?part=dht&tag=nl.e433

Interesting. Wonder if Steve Gibson has seen it yet. :)

"WMF was designed a long time ago, when information security was not considered an essential part of software design"
--Ilfak Guilfanov, (a European software developer who made headlines by beating Microsoft to the punch with a fix for the Windows flaw)

"WMF was designed a long time ago, when information security was not considered an essential part of software design"
How"long ago" would that be, I wonder?
Is technology moving too fast?
or a matter of $ not re-designing?

"How long ago" is in SuperSparks message above ... When WMF files were designed in the late 1980s, ...

oops...Thanks!

Here's the Microsoft explanation: http://blogs.technet.com/msrc/ (http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx)
To detail it a little bit, SetAbortProc functionality was a needed component in the graphics rendering environment for applications to register a callback to cancel printing, before even the WMF file format existed. Remember, those were the days of co-operative multitasking and the only way to allow the user to cancel a print job would be to call back to them, usually via a dialog. Around 1990, WMF support was added to Windows 3.0 as a file-based set of drawing commands for GDI to consume. The SetAbortProc functionality, like all the other drawing commands supported by GDI, was ported over (all in assembly language at this point) by our developers to be recognized when called from a WMF. This was a different time in the security landscape and these metafile records were all completely trusted by the OS. To recap, when it was introduced, the SetAbortProc functionality served an important function.

The vulnerability was introduced when all that GDI functionality was allowed to be called from metafiles. The potential danger of this type of metafile record was recognized and some applications (Internet Explorer, notably) will not process any metafile record of type META_ESCAPE, the overall type of the SetAbortProc record. That restriction is the reason it's not possible to exploit this vulnerability by simply referencing an image directly in HTML. IE just won't process it. How then is Internet Explorer an attack vector for the vulnerability? An example of that is through the Windows Picture and Fax Viewer. That application can convert a raw WMF into a printable EMF record. During this conversion, the application will process the META_ESCAPE record. All the current exploits we’re aware of are based on creating an html construct using an IFRAME. At a high level, the IFRAME passes off content to the Windows shell to display. The shell looks up the registered handler for WMF which is the Windows Picture and Fax Viewer (shimgvw.dll) by default. It can run into the vulnerability when converting a raw WMF to a printable EMF if MS06-001 is not applied to the system.

That all makes sense, actually. The operating environment changed after the system was designed. Think of car door-lock buttons in the '50's and '60's. They had the flange on the top, to make it easier to grip. Then the operating environment changed--car thieves exploited the design to open the car with a coathanger. Was the button designed that way on purpose? Yes, but not for that reason. The design was first patched (the flange disappeared), then eventually changed altogether.

I'd like to think MS is leveling here; I'm of the opinion that most corporate entities don't have nefarious plans up their sleeves to take advantage of the customer. It backfires in the long run. Sony is a good example of a company I no longer trust, because their rootkit was designed specifically to bypass owners' detection for Sony's benefit. This MS thing could very well be just a leftover from a more innocent time before hackers got malicious, and people didn't lock their houses, and left their cars running while going into the corner store.

Maybe I'm a leftover from a more innocent time. :o

This is a very interesting mp3 type interview with Steve Gibson.

Steve Gibson says the vulnerability was as if MS delibirately put it in there and was discovered by others to exploit it.

http://media.grc.com/sn/SN-022-lq.mp3

Mp3 file of about 4.6 Mb. 39 minutes. I havent yet seen the text version for download yet.

A link to the Transcript (text) and the mp3 is in the first message in this thread: http://www.grc.com/sn/SN-022.htm

Steve Gibson is working on his own fix
http://www.grc.com/wmf/wmf.htm
But I understand he does not think it really is ready for use by the general public yet.

Given how much Gibson has managed to get wrong about this so far, I'm not sure I'd trust whatever he comes up with anyway. :)

Update

M.I.C.E. -- Metafile Image Code Execution
http://www.grc.com/wmf/wmf.htm

This is, of course, a diagnostic tool and not a fix. Wonder if it is any different or better than the one Ilfak Guilanov posted some weeks ago.
This also seems to be the successor to Gibson's KnockKnock.exe.

I've used them both....kind of like getting a second opinion...:)

Given how much Gibson has managed to get wrong about this so far, I'm not sure I'd trust whatever he comes up with anyway. :)

Yeah he's a fear monger for sure. And I'm convinced he's on ZA's payroll and most likely was the one who created the Witty Worm. If he is on ZA's payroll, the more fear he created about security the more business ZA gets.

But on the other hand there's M$. Like being stuck between two devils.

Hubba hubba hubba. Who do ya trust?

Well there's no mincing of words here :eek:

Windows backdoor rumour is bunk (http://www.theregister.co.uk/2006/01/21/wmf_fud_from_grc/)

Wow, n-a-i-l-e-d his @5$$ to a tree! The rumor began when popinjay (http://wordnet.princeton.edu/perl/webwn?s=popinjay) expert Steve Gibson examined an unofficial patch issued by Ilfak Guilfanov, and, due to his lack of security experience, observed behavior that he could not explain by means other than a Microsoft conspiracy.
...
Gibson could not imagine why WMF rendering should need the SetAbortProc API, since, as he mistakenly believed, WMF outputs to a screen, not a printer. In fact, it can output to a printer as well. But following Gibson's erroneous assumption, the question arose: what would be the point of polling the process and allowing the user, or application, to cancel it?

Having exhausted his imagination on that score, he concluded that there's no good reason for SetAbortProc to be involved in handling metafiles. The more logical explanation, Gibson reckoned, was that someone at Microsoft had deliberately back-doored Windows with this peculiar little stuff-up. And besides, the idea of compromising a computer with an image file seemed quite cloak-and-dagger, adding to the supposed "mystery."
...
Here Gibson takes his preferred route to getting the ink that he craves: technobabble and innuendo. He can't prove anything (technically, he hasn't got the chops), so he lurks in the gray area between fact and fiction, and generates torrents of fear, uncertainty, and doubt.

The FUD Olympics

Gibson has a bad track record: a history of latching onto arcane issues that he doesn't fully understand and can never prove, and converting his limited understanding into fodder for the next internet melt-down.
...
The WMF backdoor very much in keeping with Gibson's history of getting security matters a bit wrong, filling the gaps in his understanding with technobabble, and hyping the actual matter out of all reasonable proportion in his neverending quest of ink.

And here, much as we regret it, we've given him even more ink. We can only hope that it dispels the ridiculous rumor that Gibson has propagated, and thus will do more good than harm.

Sheesh! Wonder if Gibson's seen the article?

--

And finally, to sum up this purported WMF "Backdoor", according to "The Register":... Microsoft doesn't need this as a back door; it already has one: Windows Automatic Update. It's got Windows boxes phoning home without user interaction, identifying themselves, and downloading and installing code in the background. Technically speaking, it would not be difficult for the company to pervert this process subtly, and effectively, to target certain machines for malware. But naturally, there is no possibility that it ever will: its actually doing so would be detected, and proved, and the company would end up with the PR debacle of the century. So, yes, there is a back door in Windows, and no, it is not news.

Someone oughta go to GRC's website and Email it to Steve. Make sure he gets it. ;)

I'll do it if no one else wants to. :D

I'll do it if no one else wants to.
Three cheers for Angus Bell-the-Cat! :D Preface the forward with a truly humble note.