From the Security Now! podcast:
Leo and I carefully examine the operation of the recently patched Windows MetaFile vulnerability. I describe exactly how it works in an effort to explain why it doesn’t have the feeling of another Microsoft “coding error”. It has the feeling of something that Microsoft deliberately designed into Windows. Given the nature of what it is, this would make it a remote code execution “backdoor”. We will likely never know if this was the case, but the forensic evidence appears to be quite compelling.
UPDATE: Well, this explains it http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx. I can’t wait to hear Steve’s response…
UPDATE: Okay, so the people who write exploits for a living have basically said Steve is flat out wrong. I believe they are correct because:
- 1) The people who write exploits for a living would have seen this first and called out Microsoft long before Steve Gibson decided to write his “KnockKnock.exe” tool (I swear his tools are named by a 4th grader)
- 2) As others have pointed out, if Microsoft really wanted to build a backdoor into Windows they would have used encryption so that no one would know about it or be able to use it.
Come listen to Security Weekly, where we don’t make false accusations… Oh, and we’re now sponsored by SANS, so you get discounted training, from real security experts :)
Is this really true? Is there no possible way that this was a bug or useful feature? Steve is essentially saying, well yes. He states that there is no legitimate purpose for the SETABORTPROC to accessible from a WMF file. Printing, yes, WMF files, no. He also states that he has to lie about the length of the record in order to get his code to execute. I have not tested any of these exploits in depth, if anyone can confirm this claim, please drop me a line. This essentially means that Microsoft is guilty of putting a backdoor into Windows…. Would it be the first time? Would it be the last time? Of course, Microsoft claims it is actively looking for similar flaws. Guess what, so is everyone else…
.com