Posted on 01/13/2006 1:26:20 PM PST by dinasour
Leo [Laporte] and I [Steve Gibson] carefully examine the operation of the recently patched Windows MetaFile vulnerability. I describe exactly how it works in an effort to explain why it doesn't have the feeling of another Microsoft "coding error". It has the feeling of something that Microsoft deliberately designed into Windows. Given the nature of what it is, this would make it a remote code execution "backdoor". We will likely never know if this was the case, but the forensic evidence appears to be quite compelling.
(Excerpt) Read more at grc.com ...
Aww, Bill would never do that. Would he?
I agree. I have followed Steve for some time and have a good deal of respect for him.
I am also a programmer and may understand his analysis more than most. I find his argument compelling.
It would be very interesting to see the original source for this "feature". That would be conclusive.
Sounds like its more an annoyance than it is a feature, and yes, I'm on dialup.
Putting the timeout code in the image itself sure seems like a damn-fool way to code something that should be handled by the main application itself.
Sounds like "plausible deniability" to me.
I just listened to the whole thing. I am a programmer, and it sounds plausible. He defends his position very well. However, Gibson is known for false alarms (raw sockets, anyone?), so I'll have to wait before believing this until Gibson finishes his analysis and we hear the reaction from other credible researchers.
The point that interested me was the fact that the WMF interpreter was starting as separate thread to execute the embedded code.
To me, this shows intent to execute something, and is not the way a buffer overrun would work.
I will admit that Steve is a bit of a self promoter, but we have a few of those here, as well. And it doesn't make them necessarily wrong.
If this "Feature" predates widespread Internet usage, I would consider it to be as likely a bone-headed design decision as a malicious one.
The original Macintosh OS was highly-succeptible to viruses because the designers didn't think anyone would abuse the system. Before it became necessary to run virus scanners, some of the security weaknesses could actually be used to do interesting things. For example, if you put a custom WDEF resource ID #0 in a disk's "Desktop" file, any folder windows on that disk would be drawn with the window-drawing routines in your WDEF instead of the normal system WDEF ID #0. Obviously something very easy for virus authors to exploit (until anti-virus tools started automatically nuking any *DEF resources in Desktop files) but in 1984 nobody had any clue that such a thing as computer viruses would even be created.
My guess with the WMF vulnerability is that someone wanted the Windows OS to record in a metafile everything the code did in the generation of a picture. SetAbortProc was a GDI call, so it got recorded with everything else. The fact that recording such events was useless and pointless was beside the point.
BTW, what I'd like to see someone implement in an OS would be a CODEC interface for pictures, sound, etc. that would instantiate a VM with a fixed defined address space and NO privileges whatsoever. There would be an area of memory in which source data would be placed before calling the code in the VM, and an area of memory where it would put the results. The CODEC could run as machine code, but would be stuck in its sandbox as with interpreted-code VMs. If the data to be decoded was malformed and the CODEC hit a buffer-overflow or other error, the invalid data could take over the CODECs VM, but it wouldn't be able to do anything with it.
I've made a few of those.
In fact, I've been known to put real backdoors into some of my products. The network admins wouldn't give us privileges, so I said, "That's ok, I don't need them". This was done just to support the product, and my project managers knew what I was doing, but the network admin would have had kittens, if he had found out.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.