Microsoft deliberately designed a Windows MetaFile Backdoor?

[SpywareDr]

Security Expert Steve Gibson Says Microsoft Intentionally Put a Backdoor in Windows 2000 and XP. Film at 11.

Transcript and PodCast mp3s:

http://www.grc.com/sn/SN-022.htm

[lgbpop]

There've been a number of them to date, but usually they're common knowledge, like Windows Messenger.....this one sounds a little more, shall we say, planned?

[SpywareDr]

Indeed. It'll be interesting to see how this one develops ...

[poppy4]

Design Flaw....
or
By Design....

Disheartening, to say the least....

[Abhoth]

It's a "Feature" ... yeah, that's it! A Feature...

[SpywareDr]

Like Steve Gibson says though, "We will never have proof one way or the other because we will never know for sure what Microsoft's intentions were."

Looks like the proverbial $hit is already starting to hit the fan ...

http://news.google.com/news?hl=en&ne...nG=Search+News

[poppy4]

Abhoth
You are probably right...that's the spin they'll put on it.

[SuperSparks]

I read something about this the other day, I wish I could find the link to it. The .wmf file type was designed a long time ago, and this flaw was indeed coded in deliberately, apparently. But not to make a "backdoor" or for any other nefarious reason, it was to add functionality to WMF's that couldn't be done any other way at the time.

It's pretty typical of Steve Gibson to see it all as some great conspiracy

[SuperSparks]

Found it:

When WMF files were designed in the late 1980s, a feature was included that allowed the image files to contain computer code that could be executed on a PC, said Mikko Hypponen, chief research officer at Finnish security company F-Secure.

"This was not a bug; this was something that was needed at the time," Hypponen said. "It is just bad design, design from another era." The graphics file format was introduced with Windows 3.0 in early 1990. Executable code in the image file could help abort the processing of large images on the slow systems of yesteryear, security experts said.

http://news.com.com/Microsoft+to+hun...ht&tag=nl.e433

[SpywareDr]

Interesting. Wonder if Steve Gibson has seen it yet.

"WMF was designed a long time ago, when information security was not considered an essential part of software design"
--Ilfak Guilfanov, (a European software developer who made headlines by beating Microsoft to the punch with a fix for the Windows flaw)

[poppy4]

"WMF was designed a long time ago, when information security was not considered an essential part of software design"

How"long ago" would that be, I wonder?
Is technology moving too fast?
or a matter of $ not re-designing?

[SpywareDr]

"How long ago" is in SuperSparks message above ...

When WMF files were designed in the late 1980s, ...

[poppy4]

oops...Thanks!

[Tuttle]

Here's the Microsoft explanation: http://blogs.technet.com/msrc/

To detail it a little bit, SetAbortProc functionality was a needed component in the graphics rendering environment for applications to register a callback to cancel printing, before even the WMF file format existed. Remember, those were the days of co-operative multitasking and the only way to allow the user to cancel a print job would be to call back to them, usually via a dialog. Around 1990, WMF support was added to Windows 3.0 as a file-based set of drawing commands for GDI to consume. The SetAbortProc functionality, like all the other drawing commands supported by GDI, was ported over (all in assembly language at this point) by our developers to be recognized when called from a WMF. This was a different time in the security landscape and these metafile records were all completely trusted by the OS. To recap, when it was introduced, the SetAbortProc functionality served an important function.

The vulnerability was introduced when all that GDI functionality was allowed to be called from metafiles. The potential danger of this type of metafile record was recognized and some applications (Internet Explorer, notably) will not process any metafile record of type META_ESCAPE, the overall type of the SetAbortProc record. That restriction is the reason it's not possible to exploit this vulnerability by simply referencing an image directly in HTML. IE just won't process it. How then is Internet Explorer an attack vector for the vulnerability? An example of that is through the Windows Picture and Fax Viewer. That application can convert a raw WMF into a printable EMF record. During this conversion, the application will process the META_ESCAPE record. All the current exploits we’re aware of are based on creating an html construct using an IFRAME. At a high level, the IFRAME passes off content to the Windows shell to display. The shell looks up the registered handler for WMF which is the Windows Picture and Fax Viewer (shimgvw.dll) by default. It can run into the vulnerability when converting a raw WMF to a printable EMF if MS06-001 is not applied to the system.

[lgbpop]

That all makes sense, actually. The operating environment changed after the system was designed. Think of car door-lock buttons in the '50's and '60's. They had the flange on the top, to make it easier to grip. Then the operating environment changed--car thieves exploited the design to open the car with a coathanger. Was the button designed that way on purpose? Yes, but not for that reason. The design was first patched (the flange disappeared), then eventually changed altogether.

I'd like to think MS is leveling here; I'm of the opinion that most corporate entities don't have nefarious plans up their sleeves to take advantage of the customer. It backfires in the long run. Sony is a good example of a company I no longer trust, because their rootkit was designed specifically to bypass owners' detection for Sony's benefit. This MS thing could very well be just a leftover from a more innocent time before hackers got malicious, and people didn't lock their houses, and left their cars running while going into the corner store.

Maybe I'm a leftover from a more innocent time.