1 reply to this topic

[x2p]

this from a freind of mine.... dont ask who he is....

Flash: Steve Gibson has been working with the WMF vulnerability and is now convinced that this is an intentional backdoor into Windows added by Microsoft.

"Microsoft has patched the WMF vulnerability in Windows 2000 and XP, but in his research for a fix for Windows 95/98/Me Steve has come up with a blockbuster. It is his considered opinion that the WMF vulnerability could not have been a mistake. It was an intentional backdoor inserted into Windows by Microsoft for reasons unknown. Listen for details."

"So over the weekend I rolled up my sleeves and sort of switched into what was really hacker mode. . . . And I wanted to acquire an understanding of exactly what this problem was in order to determine for myself first if, in fact, these older versions of Windows were actually vulnerable. And then, if so, I would certainly have a head start on how to cure that vulnerability.

So I started with what was known, which was the vulnerability in our existing versions of Windows, you know, 2000, XP, and so forth, and basically created from scratch my own GRC-style vulnerability testing tool. . . . I was using this, you know, this Escape/SETABORTPROC procedure that we knew was sort of the vector of exploitation. Mine wasn't working. And... I removed the patch from my system, and I could not get the exploit to trigger using a metafile that I created with my own code.

Well, it turned out that, first of all, the way this Escape function was working was it didn't strike me as, like, erroneous. That is, what this Escape/SETABORTPROC function does, the idea is that when an application is printing to the printer, . . .It is just simply a callback routine that's designed for aborting a printing process so that you can callback the calling program.

First of all, it makes no sense at all in a metafile device context. In the context of processing a metafile, setting a printer abort is crazy because it's not a printer context. You don't print metafile contexts in this way.

what Windows did when it encountered this Escape function, followed by the SETABORTPROC metafile record, was it jumped immediately to the next byte of code and began to execute it.

You know, that's crazy. But what's even more crazy is what it took for me to make it do this. . . .Oh, and since the size is in words, the smallest possible size for a metafile record would be three words long, or six bytes. Look, the reason I had problems making this exploit happen initially is I was setting the length correctly. It turns out that the only way to get Windows to misbehave in this bizarre fashion is to set the length to one, which is an impossible value. I tried setting it to zero. It didn't trigger the exploit. I tried setting it to two, no effect. Three, no effect. Nothing, not even the correct length. Only one.

This was not a mistake. This is not buggy code. This was put into Windows by someone."

What do you make of this? Some people hate the guy, other's love him. But I don't think he would do this purely as a publicity stunt.


Perhaps I should add something from wikipedia before you all freak out:

"It is well known that the WMF vulnerability stems from an intentional feature in the design of WMF that allows code to be embedded into WMF images; this code is executed when the image is viewed. The original purpose of this was mainly to handle the cancellation of print jobs during spooling. This is a feature that has extreme security implications in the context of the Internet, but is from another time (Windows 95), when MS had very little interest in networking beyond trusted internal corporate environments. Over the years this code has lived on in Windows without being reviewed in the current context of Internet connectivity."

That means that most of this had a purpose but what is still a factor is the fact that you have to set the file size to 1 in order to get this to run. That seems very spesific and delibarate to me or is just blag probaly intresting thow...

Your Thoughts Please...

[RedInferno]

That's freaky, I sure hope it's not true...

I am researching it....