Vulnerability Management

WMF “Vulnerability” was really a backdoor?

From the Security Now! podcast:

Leo and I carefully examine the operation of the recently patched Windows MetaFile vulnerability. I describe exactly how it works in an effort to explain why it doesn’t have the feeling of another Microsoft “coding error”. It has the feeling of something that Microsoft deliberately designed into Windows. Given the nature of what it is, this would make it a remote code execution “backdoor”. We will likely never know if this was the case, but the forensic evidence appears to be quite compelling.

UPDATE: Well, this explains it I can’t wait to hear Steve’s response…
UPDATE: Okay, so the people who write exploits for a living have basically said Steve is flat out wrong. I believe they are correct because:

  • 1) The people who write exploits for a living would have seen this first and called out Microsoft long before Steve Gibson decided to write his “KnockKnock.exe” tool (I swear his tools are named by a 4th grader)
  • 2) As others have pointed out, if Microsoft really wanted to build a backdoor into Windows they would have used encryption so that no one would know about it or be able to use it.

Come listen to Security Weekly, where we don’t make false accusations… Oh, and we’re now sponsored by SANS, so you get discounted training, from real security experts :)
Is this really true? Is there no possible way that this was a bug or useful feature? Steve is essentially saying, well yes. He states that there is no legitimate purpose for the SETABORTPROC to accessible from a WMF file. Printing, yes, WMF files, no. He also states that he has to lie about the length of the record in order to get his code to execute. I have not tested any of these exploits in depth, if anyone can confirm this claim, please drop me a line. This essentially means that Microsoft is guilty of putting a backdoor into Windows…. Would it be the first time? Would it be the last time? Of course, Microsoft claims it is actively looking for similar flaws. Guess what, so is everyone else…

Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.