WMF “Vulnerability” was really a backdoor?

January 13, 2006

Leo and I carefully examine the operation of the recently patched Windows MetaFile vulnerability. I describe exactly how it works in an effort to explain why it doesn’t have the feeling of another Microsoft “coding error”. It has the feeling of something that Microsoft deliberately designed into Windows. Given the nature of what it is, this would make it a remote code execution “backdoor”. We will likely never know if this was the case, but the forensic evidence appears to be quite compelling.

UPDATE: Well, this explains it http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx. I can’t wait to hear Steve’s response…
UPDATE: Okay, so the people who write exploits for a living have basically said Steve is flat out wrong. I believe they are correct because:

1) The people who write exploits for a living would have seen this first and called out Microsoft long before Steve Gibson decided to write his “KnockKnock.exe” tool (I swear his tools are named by a 4th grader)
2) As others have pointed out, if Microsoft really wanted to build a backdoor into Windows they would have used encryption so that no one would know about it or be able to use it.

Come listen to Security Weekly, where we don’t make false accusations… Oh, and we’re now sponsored by SANS, so you get discounted training, from real security experts :)
Is this really true? Is there no possible way that this was a bug or useful feature? Steve is essentially saying, well yes. He states that there is no legitimate purpose for the SETABORTPROC to accessible from a WMF file. Printing, yes, WMF files, no. He also states that he has to lie about the length of the record in order to get his code to execute. I have not tested any of these exploits in depth, if anyone can confirm this claim, please drop me a line. This essentially means that Microsoft is guilty of putting a backdoor into Windows…. Would it be the first time? Would it be the last time? Of course, Microsoft claims it is actively looking for similar flaws. Guess what, so is everyone else…
.com

Paul Asadoorian

Paul Asadoorian is the founder of Security Weekly, which was acquired by CyberRisk Alliance. Paul spent time “in the trenches” implementing security programs for a lottery company and then a large university. Paul is offensive, having spent several years as a penetration tester. As Product Evangelist for Tenable Network Security, Paul built a library of materials on the topic of vulnerability management. When not hacking together embedded systems (or just plain hacking them) or coding silly projects in Python, Paul can be found researching his next set of headphones.

WMF “Vulnerability” was really a backdoor?

Related

DHS cyber exec talks China, AI and CISO outreach

EU urged to reconsider Cyber Resilience Act’s bug reporting within 24 hours

Half of Exim mail transfer agent zero-days addressed

Related Events

Reducing silos between Developers and AppSec in your Software Supply Chain with Snyk and ServiceNow

Vulnerability management: Finding and fixing your fatal flaws

Generative AI: Understanding the AppSec risks and how DAST can mitigate them

Get daily email updates