Vulnerability Management

The Story That Never Was Comes to an End

by  •  • Comments Off

Last week, Steve Gibson accused Microsoft of having a secret backdoor built into its WMF code. When I first responded to reporter questions, here is what I said:

This is the type of thing that happens when really good developers start doing security work. They are surprised at how really bad some developers are. I predict someone with real security experience will be able explain this fairly quickly.

I don’t know many programmers who would go on the air with an accusation like that without having consulted with anyone else, anywhere. Certainly, no security researcher would do that. It could be something as simple as he’s reading the documentation incorrectly. We know that the offending function is a throwback to 16-bit windows, so who knows how they decided to maintain the backwards compatibility.

Steve must be shooting to be in his namesake Mel’s Conspiracy Theory 2. [Hey, I gotta have some fun ;-) ]

Later that evening, Microsoft came out with their response. Then the story took off from there. I don’t think the WMF Backdoor was even covered by most news sources until after the rebuttal. Microsoft’s response was more newsworthy than the accusation itself.

Well, it appears that Mark Russinovich has done the work to explain this problem. Though he is not what I would call a "security researcher" he knows Windows Internals better than anyone (his book with David Solomon, "Windows Internals" is fantastic). Here is the key paragraph:

Steve’s example WMF file contains only one record, the one that specifies SetAbortProc, so under normal circumstances PlayMetaFile will never call his abort procedure. The record sizes that he found trigger its execution cause PlayMetaFile to incorrectly increment its pointer into the WMF file such that it believes that there are more records to process, whereas the values he used that don’t trigger the execution land it on data values that indicate there are no more records. So his assertion that only certain magic values open the backdoor is wrong.

And so we ride off into the sunset, ever on the lookout for that next conspiracy. (I sure hope Steve Gibson keeps us updated like he said he would. Russinovich states that he gave his findings to him on Monday and he’s made a number of postings since then.)