By Thomas C Greene in Washington
21st January 2006
Contrary to a recent rumor circulating on the internet, Microsoft did
not intentionally back-door the majority of Windows systems by means
of the WMF vulnerability. Although it is a serious issue that should
be patched straight away, the idea that it's a secret back door is
The rumor began when popinjay expert Steve Gibson examined an
unofficial patch issued by Ilfak Guilfanov, and, due to his lack of
security experience, observed behavior that he could not explain by
means other than a Microsoft conspiracy. He then went on to speculate
publicly about this via a "This Week in Tech" podcast, and on his own
web site. Slashdot grabbed the story, and the result is a fair number
of Netizens who now mistakenly believe that the WMF flaw was created
with malicious intent.
What it is
We think it's time that this irrational fear is put to rest. First,
let's look at how the flaw works: A WMF (Windows Metafile) image can
trigger the execution of arbitrary code because the rendering engine,
shimgvw.dll, supports the SetAbortProc API, which was originally
intended as a means to cancel a print task, say when the printer is
busy with a very large job, or the queue is very long, or there is a
mechanical problem, and so on. Unfortunately, due to a bit of careless
coding, it is possible to cause shimgvw.dll (i.e., the Windows Picture
and Fax Viewer) to execute code when SetAbortProc is invoked.
A metafile is essentially a script to play back graphical device
interface (GDI) calls when a rendering task is initiated.
Unfortunately, and due entirely to Microsoft's carelessness whenever
security competes with functionality, it is possible to point the
abort procedure to arbitrary code embedded in a metafile.
Gibson could not imagine why WMF rendering should need the
SetAbortProc API, since, as he mistakenly believed, WMF outputs to a
screen, not a printer. In fact, it can output to a printer as well.
But following Gibson's erroneous assumption, the question arose: what
would be the point of polling the process and allowing the user, or
application, to cancel it?
Having exhausted his imagination on that score, he concluded that
there's no good reason for SetAbortProc to be involved in handling
metafiles. The more logical explanation, Gibson reckoned, was that
someone at Microsoft had deliberately back-doored Windows with this
peculiar little stuff-up. And besides, the idea of compromising a
computer with an image file seemed quite cloak-and-dagger, adding to
the supposed "mystery."
Nothing new here
To anyone well acquainted with Windows security, hence Microsoft's
insistence on ease of use whatever the cost, the idea of intentional
mischief along these lines is immediately suspect. Microsoft still
encourages users to run Windows as administrators, because it believes
that logging in is too much trouble for the average point-and-drool
civilian. It enables scores of potentially dangerous networking
services by default, lest anyone struggle to enable them as needed;
and its security scheme for IE - which, instead of distrusting Web
content by default, forces the user to decide whose content to trust
and whose not to - is essentially a means of skirting responsibility
by blaming the victim for the crushing burden of malware they are
Microsoft has made a pudding of security from its earliest days, and
no amount of malicious intent can possibly account for this. The
company's obsession with ease of use is more than adequate to account
for this and thousands of other security snafus like it.
Furthermore, the WMF flaw doesn't make for a good backdoor, assuming
that one would like to target a user, or class of users. For example,
IE is not in itself vulnerable; the problem comes when the system
renders online WMF files with shimgvw.dll. So luring a Windows user to
a malicious web site is no guarantee that they will be affected, while
many others, who are not targets, might well be affected. Similarly,
when sending a malicious WMF file via e-mail or IM, there is no
guarantee that the intended target or targets will be vulnerable. And
there are plenty of other types of malicious file that can be sent or
placed on line in a similar manner, so there is no distinct advantage
to using WMF. It is not a powerful back door.
Finally, Microsoft doesn't need this as a back door; it already has
one: Windows Automatic Update. It's got Windows boxes phoning home
without user interaction, identifying themselves, and downloading and
installing code in the background. Technically speaking, it would not
be difficult for the company to pervert this process subtly, and
effectively, to target certain machines for malware. But naturally,
there is no possibility that it ever will: its actually doing so would
be detected, and proved, and the company would end up with the PR
debacle of the century. So, yes, there is a back door in Windows, and
no, it is not news.
Here Gibson takes his preferred route to getting the ink that he
craves: technobabble and innuendo. He can't prove anything
(technically, he hasn't got the chops), so he lurks in the gray area
between fact and fiction, and generates torrents of fear, uncertainty,
The FUD Olympics
Gibson has a bad track record: a history of latching onto arcane
issues that he doesn't fully understand and can never prove, and
converting his limited understanding into fodder for the next internet
melt-down. In mid-2001, when he discovered the SOCK_RAW protocol
(which had been implemented in UNIX and Linux for ages) and
Microsoft's intent to implement it in Windows XP, he predicted an "XP
Christmas of Death" for 2001-2002, which has yet to materialize.
Nevertheless, he made such a riot over the issue for so long that
Windows XP service Pack 2 disables the function. Naturally, the
installed user base of XP machines in botnets remains the same,
because the problem was, and is, the ease with which even the most
inept script kiddie can own a Windows box. Default configurations are
very loose, so there are scores of routes into most Windows systems
that require very little knowledge or talent to exploit. Microsoft
needs to tighten up thirty or so glaring design and configuration
flaws, all right, but raw sockets is not among them.
In 2002, when he discovered SYN floods, he developed a broken gimmick
that he called "GENESIS" (Gibson's ENcryption-Enhanced Spoofing
Immunity System). He said it was "beautiful and perfect." In fact, it
was nothing more than an inept implementation of SYNcookies, which had
been developed (in a properly working form) for Linux by Dan Bernstein
and Eric Schenk years earlier. Gibson denied that he had ever heard of
SYNcookies, and insisted had thought up his own, broken version
independently, but this is highly unlikely. Of course, that can't be
proved or disproved, keeping the issue in the vague territory that
Gibson so comfortably inhabits.
The WMF backdoor very much in keeping with Gibson's history of getting
security matters a bit wrong, filling the gaps in his understanding
with technobabble, and hyping the actual matter out of all reasonable
proportion in his neverending quest of ink.
And here, much as we regret it, we've given him even more ink. We can
only hope that it dispels the ridiculous rumor that Gibson has
propagated, and thus will do more good than harm. =AE
InfoSec News v2.0 - Coming Soon!