, 2006-01-23
Claims that the WMF vulnerability was an intentional backdoor into Windows systems makes for an interesting conspiracy theory, but doesn't fit with the facts.
Expand all |
Post comment
Debunking the WMF backdoor
2006-01-24
ScuzzMonkey (2 replies)
ScuzzMonkey (2 replies)
I'll cover just a few of your points to illustrate how wildly off-base you are.
1. "The rumor began when popinjay expert Steve Gibson examined an unofficial patch issued by Ilfak Guilfanov, and, due to his lack of security experience, observed behavior that he could not explain by means other than a Microsoft conspiracy."
Totally false. According to Guilfanov himself, Gibson collaborated with Guilfanov to port the temporary patch to Windows 2000, so claiming that he didn't understand it is risible. In any case this had nothing to do with the analysis which resulted in Gibson speculating about a deliberate backdoor. That analysis came from trying to study the flaw from "first principles" by reverse engineering example attack code from the web and running Microsoft's defective dll through a debugger.
Additionally, nowhere is any "conspiracy" mentioned. He talks about a possible rogue programmer, or test code that someone never got around to removing. The closest he came to postulating a "conspiracy" is observing that this flaw (data and code packed in one file) is exactly the sort of thing that Microsoft should have detected in their new code security audits. At the very next interview -- well before your criticisms appeared -- he hastened to point out that those talking of conspiracies were misrepresenting him.
By the way, what is a "popinjay expert"? Must be some sort of parrot fancier. Personally, I like the Norwegian Blue.
2. "Gibson could not imagine why WMF rendering should need the SetAbortProc API, since, as he mistakenly believed, WMF outputs to a screen, not a printer. In fact, it can output to a printer as well."
Quite misleading. Gibson explains that the SetAbortProc API is for output to a printer, and even explains why in considerably more depth than you did. His actual complaint is that its execution can be, and in fact is, context dependent so that there is no reason to expose the functionality for output media other than printers. And can he not imagine why this would happen? No, what he actually said was "... they didn't think to remove it or take it out."
3. "But following Gibson's erroneous assumption, the question arose: what would be the point of polling the process and allowing the user, or application, to cancel it?"
Completely false. No such question arises, except by way of explaining the answer. What he actually wonders is why the effect that he observes is only triggered by a very specific illegal value -- something which hints at intent. In this respect, it appears that he is indeed wrong -- sort of. Actually, it seems that he has stumbled on an additional bug ancillary to the main one. The execution of code in the abort record normally only occurs automatically if it is not the last record (since it makes no sense to abort when you have already processed all records). Thus, it does not occur at all if there is only one record. Gibson seems to have discovered that even if there is only one record, and thus there would be no code execution otherwise, execution can be triggered by a malformed length field. He incorrectly thought this was the only way to trigger the problem, when in fact it appears that this is an additional bug over and above the bad-design-rather-than-bug phenomenon of the code records.
If you had called him on THAT error, your criticisms would have been valid, albeit far weaker. (Note that Gibson publicly admitted this error on January 19.)
4. "Having exhausted his imagination on that score, he concluded that there's no good reason for SetAbortProc to be involved in handling metafiles."
Did Gibson really claim he had exhausted his imagination and there was no other explanation? Hmm, here's some quotes from the interview:
Steve Gibson: "Again, I've got some more work to do, and then the timing of this Security Now! podcast coincided with, you know, I've known this for a day now. And I've been going back over it and trying to come up with a reason, I mean, a benign reason for this. And I just don't see it."
Steve Gibson: "So, again, it may be that a week from now I come back with my tail between my legs and say, Leo, you know, I told what I believed to be the case at the time. I now see how this makes sense, and something that I see in the code didn't occur to me. I haven't done that yet. So that's what I'll be doing."
Yeah, that's really set in stone. That really sounds like he's totally slammed the door on any other possibilities.
5. "Furthermore, the WMF flaw doesn't make for a good backdoor,..."
Indeed. Of course, most of the points you make here are not original, but were already covered -- in that very interview, by Laporte, at the only point where there is anything resembling serious speculation that it could be some sort of grand conspiracy. No real conclusion is reached because Steve wanted to talk about something else, but the tone is skeptical.
I could go on, but the pub is calling....
I don't know what your beef with Gibson is, Thomas, but on a snap poll of those around me at the moment, it is starting to damage YOUR credibility rather than his, and that of El Reg as well.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/382/33028#33028