Wmf Deliberate


Recommended Posts

Or some part of the horse, anyway.

Hey! I worship that guy. I've been a fan of his programming skills since the Windows 3.x days, anybody who programs in machine language as a matter of course is a God in my book. "Gee, I'll just whip up a utility to do such-and-such, here we go: 110001100110001110001110001111100011000, done!"

I d/l'ed the utility mentioned and, as always, I was taken by surprise at how quickly it downloaded (because machine language takes up so little space). Again because it's in machine language his stuff is FAST. And he is scrupulous about not leaving stuff in memory, not needing DLL's and other crap all over so everything is easy to remove, plus, and remember this was also always true back in the day, everything he writes WORKS AS ADVERTISED. No program source I've used in 16 years of using a PC has been 100% faultless, his are.

------

As for his conclusion about the WMF exploit possibly being intentionally designed into Windows ... You can't see it, but my mouth is agape. Keeping up to date on this will be interesting (to say the least).

Link to post
Share on other sites
I've been a fan of his programming skills since the Windows 3.x days, anybody who programs in machine language as a matter of course is a God in my book.

jcl@ubuntu:~/src$ cat h.asm
section .data

msg db 0x57,0x6F,0x72,0x73,0x68,0x69,0x70,0x20,0x4D,0x65,0x2E,0xa
msglen equ $ - msg

section .text

global _start
_start:
mov eax, 4
mov ebx, 1
mov ecx, msg
mov edx, msglen
int 0x80

mov eax, 1
xor ebx, ebx
int 0x80

jcl@ubuntu:~/src$ nasm -f elf h.asm
jcl@ubuntu:~/src$ ld -o h h.o
jcl@ubuntu:~/src$ ./h
Worship Me.

Seriously, it's not a big deal. Lots of people go through an assembly phase. Most of them outgrow it and move to better tools. Gibson stands out because he's an evangelist with a talent for self-promotion. (Or a self-promoter with a talent for assembly programming.)

As for his conclusion about the WMF exploit possibly being intentionally designed into Windows ... You can't see it, but my mouth is agape. Keeping up to date on this will be interesting (to say the least).

I'll believe it when I see the code.

Edit: This is too funny. WINE is vulnerable. You suppose Gibson will claim that insidious Microsoft hackers compromised WINE? Or maybe admit that it's a documented feature that's been around for 15 years?

Also, the MS Secrity Response Center has an explanation of the vulnerability and an indirect response to Gibson.

Edited by jcl
Link to post
Share on other sites
  • 2 weeks later...

Windows back door rumor is bunk

By Thomas C Greene in Washington

Contrary to a recent rumor circulating on the internet, Microsoft did not intentionally back-door the majority of Windows systems by means of the WMF vulnerability. Although it is a serious issue that should be patched straight away, the idea that it's a secret back door is quite preposterous.

The rumor began when popinjay expert Steve Gibson examined an unofficial patch issued by Ilfak Guilfanov, and, due to his lack of security experience, observed behavior that he could not explain by means other than a Microsoft conspiracy. He then went on to speculate publicly about this via a "This Week in Tech" podcast, and on his own web site. Slashdot grabbed the story, and the result is a fair number of Netizens who now mistakenly believe that the WMF flaw was created with malicious intent.

What it is

We think it's time that this irrational fear is put to rest. First, let's look at how the flaw works: A WMF (Windows Metafile) image can trigger the execution of arbitrary code because the rendering engine, shimgvw.dll, supports the SetAbortProc API, which was originally intended as a means to cancel a print task, say when the printer is busy with a very large job, or the queue is very long, or there is a mechanical problem, and so on. Unfortunately, due to a bit of careless coding, it is possible to cause shimgvw.dll (i.e., the Windows Picture and Fax Viewer) to execute code when SetAbortProc is invoked.

A metafile is essentially a script to play back graphical device interface (GDI) calls when a rendering task is initiated. Unfortunately, and due entirely to Microsoft's carelessness whenever security competes with functionality, it is possible to point the abort procedure to arbitrary code embedded in a metafile.

Gibson could not imagine why WMF rendering should need the SetAbortProc API, since, as he mistakenly believed, WMF outputs to a screen, not a printer. In fact, it can output to a printer as well. But following Gibson's erroneous assumption, the question arose: what would be the point of polling the process and allowing the user, or application, to cancel it?

Having exhausted his imagination on that score, he concluded that there's no good reason for SetAbortProc to be involved in handling metafiles. The more logical explanation, Gibson reckoned, was that someone at Microsoft had deliberately back-doored Windows with this peculiar little stuff-up. And besides, the idea of compromising a computer with an image file seemed quite cloak-and-dagger, adding to the supposed "mystery."

Nothing new here

To anyone well acquainted with Windows security, hence Microsoft's insistence on ease of use whatever the cost, the idea of intentional mischief along these lines is immediately suspect. Microsoft still encourages users to run Windows as administrators, because it believes that logging in is too much trouble for the average point-and-drool civilian. It enables scores of potentially dangerous networking services by default, lest anyone struggle to enable them as needed; and its security scheme for IE - which, instead of distrusting Web content by default, forces the user to decide whose content to trust and whose not to - is essentially a means of skirting responsibility by blaming the victim for the crushing burden of malware they are carrying.

Microsoft has made a pudding of security from its earliest days, and no amount of malicious intent can possibly account for this. The company's obsession with ease of use is more than adequate to account for this and thousands of other security snafus like it.

Furthermore, the WMF flaw doesn't make for a good backdoor, assuming that one would like to target a user, or class of users. For example, IE is not in itself vulnerable; the problem comes when the system renders online WMF files with shimgvw.dll. So luring a Windows user to a malicious web site is no guarantee that they will be affected, while many others, who are not targets, might well be affected. Similarly, when sending a malicious WMF file via e-mail or IM, there is no guarantee that the intended target or targets will be vulnerable. And there are plenty of other types of malicious file that can be sent or placed on line in a similar manner, so there is no distinct advantage to using WMF. It is not a powerful back door.

Finally, Microsoft doesn't need this as a back door; it already has one: Windows Automatic Update. It's got Windows boxes phoning home without user interaction, identifying themselves, and downloading and installing code in the background. Technically speaking, it would not be difficult for the company to pervert this process subtly, and effectively, to target certain machines for malware. But naturally, there is no possibility that it ever will: its actually doing so would be detected, and proved, and the company would end up with the PR debacle of the century. So, yes, there is a back door in Windows, and no, it is not news.

Here Gibson takes his preferred route to getting the ink that he craves: technobabble and innuendo. He can't prove anything (technically, he hasn't got the chops), so he lurks in the gray area between fact and fiction, and generates torrents of fear, uncertainty, and doubt.

The FUD Olympics

Gibson has a bad track record: a history of latching onto arcane issues that he doesn't fully understand and can never prove, and converting his limited understanding into fodder for the next internet melt-down. In mid-2001, when he discovered the SOCK_RAW protocol (which had been implemented in UNIX and Linux for ages) and Microsoft's intent to implement it in Windows XP, he predicted an "XP Christmas of Death" for 2001-2002, which has yet to materialize. Nevertheless, he made such a riot over the issue for so long that Windows XP service Pack 2 disables the function. Naturally, the installed user base of XP machines in botnets remains the same, because the problem was, and is, the ease with which even the most inept script kiddie can own a Windows box. Default configurations are very loose, so there are scores of routes into most Windows systems that require very little knowledge or talent to exploit. Microsoft needs to tighten up thirty or so glaring design and configuration flaws, all right, but raw sockets is not among them.

In 2002, when he discovered SYN floods, he developed a broken gimmick that he called "GENESIS" (Gibson's ENcryption-Enhanced Spoofing Immunity System). He said it was "beautiful and perfect." In fact, it was nothing more than an inept implementation of SYNcookies, which had been developed (in a properly working form) for Linux by Dan Bernstein and Eric Schenk years earlier. Gibson denied that he had ever heard of SYNcookies, and insisted had thought up his own, broken version independently, but this is highly unlikely. Of course, that can't be proved or disproved, keeping the issue in the vague territory that Gibson so comfortably inhabits.

The WMF backdoor very much in keeping with Gibson's history of getting security matters a bit wrong, filling the gaps in his understanding with technobabble, and hyping the actual matter out of all reasonable proportion in his neverending quest of ink.

And here, much as we regret it, we've given him even more ink. We can only hope that it dispels the ridiculous rumor that Gibson has propagated, and thus will do more good than harm. ®

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...