[42244] in bugtraq
Re: WMF vulnerability was a deliberate backdoor?
daemon@ATHENA.MIT.EDU (Mike Ely)
Mon Jan 16 23:24:01 2006
Message-ID: <43CAC1DA.6010808@taupehat.com>
Date: Sun, 15 Jan 2006 13:42:50 -0800
From: Mike Ely <me@taupehat.com>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
In-Reply-To: <771B638360252E4E8C31ED28FBA4580360B813@OLCCEX01>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Brooks, Shane wrote:
> I've recently had my attention brought to a post from Steve Gibson in the grc.com forums, which contains the following quote:
>
> <snippet>
> The only conclusion that can reasonably be drawn is that this [setAbortProc procedure]
> was a deliberate backdoor put into all of Microsoft's recent editions of Windows.
> </snippet>
>
> full article here:
> http://www.grc.com/x/news.exe?cmd=article&group=grc.news.feedback&item=60006
>
> thoughts?
>
Shane,
What you read was classic Gibson: a thorough discussion of a technical
problem, followed by a wild speculative jump regarding the motives of
the people who wrote the code. He's been doing this for years, which is
why you may notice folks here take a very jaded view of anything he says
- ever.
In the specific case of his commentary on the WMV vulnerability, I have
read the same writeup you have read, and what my read on it was that he
was saying something like the following:
"There's an unhandled exception that doesn't even need to be there in
the first place, therefore it's a deliberate backdoor."
To me, this just screams "Does Not Follow!" I've seen plenty of equally
stupid mistakes coming from Redmond (and elsewhere) that didn't happen
to result in remote code execution, but were nonetheless astonishingly
dumb. For example, up until a couple days ago, you could make the error
handler at ideas.live.com write all sorts of amusing stuff to their 404
page simply by appending it to the URL. Was it a security risk?
Possibly, probably not. Was it really dumb? Duh.
So my take on Gibson's post can be summed up as follows: Interesting
writeup on the problem, but he's come nowhere close to proving to me
that the WMF vulnerability was deliberate. If he wanted to show me the
sourcecode where it has a comment like "/* The following code is here at
the behest of No Such Agency. Do not remove from future versions. */" I
might start to consider the possibility of some dark conspiricy. As it
stands, it just looks to me like Yet Another Dumb Screwup by Microsoft
(YADSM).
Cheers,
Mike Ely
