Author Topic: Windows WMF Backdoor speculation  (Read 7046 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Windows WMF Backdoor speculation
« on: January 14, 2006, 11:20:36 PM »
Hi malware fighters,

We all know that Microsoft came with a patch for the serious flaw for Win2xxx and XP. But while searching to fix the flaw for the abandoned Win 95, 98 & ME  platforms, the security researcher Steve Gibson says that he discovered that the WMF flaw is not a flaw but a Microsoft constructed backdoor for reasons as yet not known.
At least Microsoft must have had knowledge of this function says Gibson. Microsoft was able to remotely run code against a machine that had ActiveX disabled and a Firewall running. This piece of code was found up by chance, but there could be other constructed backdoors as well, but we have no knowledge of that, because the code is closed. Steve Gibson has not made his findings public, but he wants to know why the backdoor was there. He more likely than not never will.
Read: http://www.grc.com/sn/SN-022.htm

In my opinion there was never a backdoor there, the function was used in the days that real multitasking abilities were not there, and flushing was all there was to get enough mem free. According to the WinApi of AbortProc you will get a HDC parameter via the stack, but this is rarely used. Also WINE is vulnerable. So I do not believe any of the suggestions Steve Gibson makes here, but Microsoft must have been aware this functionality existed.

polonus
« Last Edit: January 14, 2006, 11:24:55 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Windows WMF Backdoor speculation
« Reply #1 on: January 15, 2006, 12:57:35 PM »
Sinister, very sinister.  :o

What they say about older versions of Windows is also worrying:

Quote
They say a vulnerability in Windows is critical only if its exploitation could allow the propagation of an Internet worm without user action. In other words, anything else is not critical.

Quote
...as most people probably know who are running the older versions of Windows, they've been left out to dry.

Quote
They've defined this so that, I mean, almost nothing now is a critical vulnerability. And then by moving the older versions of Windows out of that category, they said, oh, well, yes, we've agreed that we will patch older versions of Windows' critical vulnerabilities, but we're no longer maintaining those older versions for non-critical vulnerabilities. In other words, this allowed them last week to say, oh, this Windows MetaFile exploit is non-critical, so the older versions of Windows we're not going to fix.

Quote
Steve: It's amazing. And so, get this, the next level down from "critical" is an "important severity" rating. An "important severity" is a vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users' data or the integrity or availability of processing resources.

Quote
Leo: In their defense, I guess what you could say is, well, if people choose to run an old, out-of-date operating system, we really can't be held accountable for it unless it impacts the health of the Internet. In other words, if you choose to run an old operating system, we're not going to protect you, but we'll do our duty and protect the Internet. I mean, that's not unreasonable, is it?

Steve: And I also agree that, you know, it makes sense for them to set some sort of sunset provision here where they're not being obligated to, like, for example, go back and patch Windows 3.0.

Leo: Yeah.

Steve: Or, I mean, you know, or 95, the real legacy OSes that, sure, you could have put that on the Internet; but, you know, it's just so old, you know, where does Microsoft's responsibility end? So, you know, I'm not arguing, I guess, with this. But if, in fact, these machines are vulnerable, then I had committed, and I believe I should, to fix them for people because Microsoft, it was very clear then last week, was not going to. So...

Leo: And by the way, even if Microsoft doesn't consider it critical, certainly everybody else does, including the users who are susceptible to this.

Steve: Well, and there's still millions of Windows 9x and ME systems out there, I mean, actively on the Internet, that are now in some sort of unknown limbo state.

     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Umath

  • Guest
Re: Windows WMF Backdoor speculation
« Reply #2 on: January 15, 2006, 02:20:32 PM »
So, according to the speculation, is this rather similar case with Sony BMG rootkit?  My nerve has been so dulled with "Windows standard" that I cannot be surprised.  This Cnet article is about iTune profiling but it offers some insight on the cultural differences between Windows and Apple users.

Quote
Macintosh users have typically not been exposed to many of the advertising-supported or adware programs that are common in the Windows world, and which routinely raise privacy concerns through poorly disclosed data exchanges.

In either case, it seems that we consumer OS users eventually have to give up privacy/security in return for some temporary conveniences.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Windows WMF Backdoor speculation
« Reply #3 on: January 15, 2006, 06:24:12 PM »
Hi FwF & Umath,

Here is another view on the question:
http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx

With these discussions it always the same: "From what kind of assumptions do you start the discussion?".

It now seems so that for Win 98 SE amd ME the impact of the WMF flaw never was that what it could be for Win XP platforms. A particular dll responsible is missing in Win 98 SE shimgvm.dll.

greets,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Windows WMF Backdoor speculation
« Reply #4 on: January 19, 2006, 11:17:44 PM »
« Last Edit: January 20, 2006, 12:18:20 PM by kubecj »
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

kubecj

  • Guest
Re: Windows WMF Backdoor speculation
« Reply #5 on: January 20, 2006, 12:18:02 PM »
Maybe it would be better to quote anybody else than Gibson.

http://www.grcsucks.com/

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Windows WMF Backdoor speculation
« Reply #6 on: January 20, 2006, 10:14:40 PM »
Czecz Kubecj,

Thank you for this valuable information. There is a lot of misinformation, half truths, and myths presented by so-called security experts. If we do not discuss it here, the misleading of large groups of people seeking some insight on the Internet goes on and on. Good when you try to stop these mythologists.

pozdrawiam,

polonus
« Last Edit: January 20, 2006, 10:16:24 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Umath

  • Guest
Re: Windows WMF Backdoor speculation
« Reply #7 on: January 21, 2006, 12:46:40 PM »
Quote
Stating Patricia McNeill : "Gibson is masterful at stirring up an emotional response in the people who come to his site, and then manipulating these people into believing exactly what he wants them to. The tragedy is that these people come to him looking for facts and information, and come away thinking that they have found some! Gibson tries to present himself as a selfless source of public information, yet his entire site is full of emotional manipulation, misinformation, and misdirection. This man is nothing more that a self-promoting braggart."

The problem is that the site name and the tone of it rather sound emotional and hateful, too, which makes me wonder if the site itself is some kind of bad joke.  If someone points out that what someone says is a myth/someone is arrogant while what he himself says a solid fact/he himself is modest, which should audiences believe?

At least, this thread started as "Windows WMF Backdoor speculation" and nobody seems to have taken it as a fact.

Mastertech

  • Guest
Re: Windows WMF Backdoor speculation
« Reply #8 on: January 21, 2006, 03:22:57 PM »
Gibson is a good guy who sometimes jumps to conclusions but in the end he is simply OVERLY concerned with Security. Anytime he has been proven wrong he has corrected it. His style of reporting problems does get them corrected much quicker IMO. All his utilities on his page work as Advertised and I cannot say enough about his fabulous Spinrite program = it works. On this backdoor issue I agree with Russinovich's reasoning. If you read Russinovich's post he explains why Gibson came to his conclusions which includes some fairly extensive analysis on Gibson's part. But even when I heard Gibson suggest this, I did not believe it.

In the end the GRCSUCKS page is a poor excuse for people to bash a decent honest guy who believes in what he is doing. Someone exceptional with getting the average person thinking about security and we can all agree that is a good thing.
« Last Edit: January 21, 2006, 03:24:34 PM by Mastertech »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Windows WMF Backdoor speculation
« Reply #9 on: January 21, 2006, 03:53:33 PM »
Hello Mastertech,

Please do not come to the rescue of the self-crowned security expert Steve A. Gibson, because he does not need that. He never was a philantropist, and I am the last to say that he was and is a bad "marketeer", that is his speciality and there he is a specialist, and a great fearmongerer in the process.

His glorifying ZoneAlarm was not born about just being enthusiastic about this program, the MacAfee links had a great influence on this enthusiasm too. Why those people always have an opinion on things we cannot know. How Internet Explorer was built deep into the Windows OS (api handling etc.) was never disclosed to alternate browser developers.
So what cannot be revaeled, cannot be checked. The myths are living on. I would love to have an old zombie coder (Undead) here on the forum, one of the hired coders from the days on Win 3.01 who can treat us to some Microsoft coding recipee, how many experts of to-day would be instantly debunked.

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Mastertech

  • Guest
Re: Windows WMF Backdoor speculation
« Reply #10 on: January 21, 2006, 04:11:05 PM »
I will always defend any honest person who people attempt to slander. Here is a good read: Steve Gibson A Fraud?

This sums it up:
Quote
Steve's work (at http://www.grc.com ) isn't perfect---- no one's is. And his breezy writing style and high level of enthusiasm put some people off. But he's more often right than wrong, he corrects his mistakes when they're verified (and not simply alleged); and his free services and software are an outright gift to the computing community. ( http://grc.com/freepopular.htm)

His tools work as advertised. I cannot say this enough. Have you even used Spinrite?

What does the IE comment have to do with anything?

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Windows WMF Backdoor speculation
« Reply #11 on: January 21, 2006, 04:24:30 PM »
Hi Mastertech,

I never slander, and I think Steve Gibson is an integer guy. But I love the open discussion. I love to make up my own opinion about things. The best thing for that is to hear two sides of a story.
I never was the man that said, this is the truth, the full truth, and nothing but the truth, because simply said this cannot be in this world. It is just nearing the truth, completely besides the facts, and a large gray area in between.
The best to do is analyse an opinion for what it is worth, be open and fair enough to change one's point of view. That Steve Gibson is questioned as an authority, I heard for the first time here, and on the site of Ken Linton, but they had a dispute about vulnerabilities in the ZoneAlarm firewall packet filtering back round the turn of the century.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Mastertech

  • Guest
Opinions
« Reply #12 on: January 21, 2006, 04:32:56 PM »
That is the point. He clearly gives his opinion that the WMF vulnerability is a back door. But that in no way changes the FACT that the WMF vulnerability exists.

As for questing him as an "Authority", that just seems like jealously to me. He gets alot of publicity and people go to his site before others for many reasons. Usually because he cuts through the crap buried in pages of technical analysis on other security sites. The average end user finds this much easier to read.

The attacks on Zonealarm are the same. It is the easiest end user Firewall to use. Instead of being happy people are getting serious about using protection people complain because everyone is not Cisco certified in packet filtering. Gibson promotes simple to use effective solutions. If everyone on the internet listened to half of what he has to say we would have no where near the problems we do today.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Windows WMF Backdoor speculation
« Reply #13 on: January 21, 2006, 04:42:46 PM »
Hi Mastertech,

Then we can come to the conclusion that people need figures like Steve Gibson to sort out issues for them.. I will never say anything against ZoneAlarm, I use(d)  it for years alernating with Sygate. If more security firms would have that responsibility for the general user, sure as hell the Internet would be a safer place. Same laurels have to go to our Avast of course.

I hope Steve finds more bugs like WMF so we can do without it in the coming Vista. Redmond needs the Undead coders once more.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Windows WMF Backdoor speculation
« Reply #14 on: January 23, 2006, 03:50:18 PM »
http://www.grc.com/default.htm

Steve Gibson's latest podcast is out.

Will he be eating humble pie?
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog