By Gregg Keizer
Jan 17, 2006
Microsoft has denied allegations that the Windows Metafile (WMF) bug
is actually a "back door" planted by the company's developers so they
could secretly access users' PCs.
The charges were raised last week by Steve Gibson, security researcher
best known for his ShieldsUp Web site, in a podcast. A transcript of
that podcast is available here.
Although Gibson presented no proof of the indictment -- he said that
without access to Windows' source code, it would be impossible to
prove, or disprove, his charge -- he said that any other explanation
just didn't make sense.
"This was not a mistake. This is not buggy code. This was put into
Windows by someone," Gibson said in the podcast Thursday. Gibson went
on to hypothesize that Microsoft created this back door as a way to
add code to users' machines whenever it wanted to.
"For example, if Microsoft was worried that for some reason in the
future they might have cause to get visitors to their website [sic] to
execute code, even if ActiveX is turned off, even if security is up
full, even if firewalls are on, basically if Microsoft wanted a short
circuit, a means to get code run in a Windows machine by visiting
their website [sic], they have had that ability, and this code gave it
to them," Gibson said.
"I don't see any way that this was not something that someone in
Microsoft deliberately put into Windows," he concluded.
A Microsoft official denied the allegation in an entry on the
Microsoft Security Response Center blog written late Friday. Program
manager Stephen Toulouse wrote a detailed explanation of the
"SetAbortProc" function's vulnerability, and said that the flaw was an
inadvertent bug, not coding by design.
"There's been some speculation that you can only trigger this by using
an incorrect size in your metafile record and that this trigger was
somehow intentional. That speculation is wrong on both counts," wrote
Toulouse. Gibson said that one reason he began thinking that the WMF
vulnerability was a back door was because he could exploit the flaw
only with a metafile record of an incorrect size.
But Toulouse rejected that claim. "The vulnerability can be triggered
with correct or incorrect size values," said Toulouse, who said that
Gibson's experience likely resulted from putting the SetAbortProc
record as the last record in the metafile.
Toulouse also acknowledged that the bug was introduced into Windows
during a time when the security situation didn't include hackers using
malicious image files to exploit vulnerabilities. "This was a
different time in the security landscape and these metafile records
were all completely trusted by the OS," he said. "When it was
introduced, the SetAbortProc functionality served an important
SetAbortProc, the vulnerable function in the graphics rendering engine
(GDI), preceded the Windows Metafile format, said Toulouse, another
reason why Gibson's charges don't add up. (SetAbortProc's duty is to
allow for print jobs to be canceled.)
Most other security experts rejected Gibson's back-door theory.
"[There's] lots of old code hanging around Windows," said Richard
Stiennon, director of threat research for Boulder, Colo.-based
anti-spyware vendor Webroot. "Mr. Gibson is being spooked by ghosts of
InfoSec News v2.0 - Coming Soon!