So now Steve Gibson is claiming
that the WMF flaw was deliberate, put there by Microsoft in order to provide a back door. Is this guy for real? Next he'll be complaining that the US never landed on the moon ...
-
-
JohnAskew
9 girl in pink sweater
Deliberate as in required by NSA?
EDIT: I think the acronym speaks for itself: WMF -
barogers
Come On Fhqwhgads!
"Mr. Potato Head! Mr. Potato Head, back doors are not secrets! They're not tricks!"
-
Tom Servo
W-hat?
He's still making a living on his disk recovery snake oil?
-
ScanIAm
Edgar Allen Potato.
Mr. Gibson is obviously smoking crack.
Edit: BTW, anyone who has ever seen the movie 'hackers' knows about 'hacking the gibson'. I know the reference is to William Gibson, but every time I see Steve Gibson, I think of this reference. The thought chain goes like this:
1) Steve Gibson blah, blah, blah
2) Hacking the Gibson!
3) Careful with that Axe Eugene! -
Karim
Trapped in a world he never made!
Yeah I saw this on digg...
His point, if I understand it, relates to the fact that each metafile record has a four-byte length value, the minimum length is 6, and that when you incorrectly set the length to a specific value -- 1 -- Windows starts executing the next byte in the metafile.
Apparently if you use other invalid record lengths -- 0, 2, 3, 4, 5 -- nothing bad happens. The only invalid length that causes execution of a WMF is "1."
I think his contention is that, if it was a bug, other invalid lengths should also trigger the execution of code. (e.g. a length of "0" or "2" should cause the same problem).
Steve: And so, you know, because I'm a developer when I'm not being a hacker, I wanted to understand - oh, and the other thing is, I want to write a robust testing application, you know, that always works all the time. So I wanted to know, like, okay, what bytes have to be set which way, what matters, what doesn't. Because, you know, that's the way you get something that is as solid as, you know, the code that I put out from GRC. So what I found was that, when I deliberately lied about the size of this record and set the size to one and no other value, and I gave this particular byte sequence that makes no sense for a metafile, then Windows created a thread and jumped into my code, began executing my code. Okay, Leo? This was not a mistake. This is not buggy code. This was put into Windows by someone. We are never going to know who.
I think going all X-Files and saying "This was not a mistake" is a little premature at this point... it's worthy of investigation, of trying to figure out why a "1" gets treated as a special invalid value, but you need to gather a bit more evidence before you go around making accusations like that... -
W3bbo
Work hard; increase production; prevent accidents, and be happy.
Karim wrote:Steve: And so, you know, because I'm a developer when I'm not being a hacker, I wanted to understand - oh, and the other thing is, I want to write a robust testing application, you know, that always works all the time. So I wanted to know, like, okay, what bytes have to be set which way, what matters, what doesn't. Because, you know, that's the way you get something that is as solid as, you know, the code that I put out from GRC. So what I found was that, when I deliberately lied about the size of this record and set the size to one and no other value, and I gave this particular byte sequence that makes no sense for a metafile, then Windows created a thread and jumped into my code, began executing my code. Okay, Leo? This was not a mistake. This is not buggy code. This was put into Windows by someone. We are never going to know who.
Was this a transcript of a spoken interview?
...because I don't usually trust people who include things like "- oh and the other thing is", ", you know,", or "like, okay" in written correspondance.
-
ScanIAm
Edgar Allen Potato.
Karim wrote:Yeah I saw this on digg...
I think his contention is that, if it was a bug, other invalid lengths should also trigger the execution of code. (e.g. a length of "0" or "2" should cause the same problem).
I'm amazed that Steve "I'm a hacker" Gibson can't figure out that a bug like this probably won't act in predictable ways. How does he know that setting the length to anything other than 1 doesn't cause other strange, but undetectable things to happen?
He might have stumbled upon the reason that it took so long to find this bug...it only fails if the value is 1. Why? Who knows, but I'm willing to bet it has something to do with byte boundaries.
MSFT isn't Sony. They aren't stupid enough to purposefully leave in backdoor or easter egg code when the US Govt. requires them not to do so. -
Karim
Trapped in a world he never made!
W3bbo wrote:Was this a transcript of a spoken interview?
Yes. The link's at the top of the thread:
http://www.grc.com/sn/SN-022.htm
The MP3s of the podcast are at the top of that page. Other episodes available at:
http://grc.com/securitynow.htm
-
Karim wrote:then Windows created a thread and jumped into my code, began executing my code.
The bit that worried me was the 'created a thread' bit. That sounds fairly deliberate, I'd be worried if my code was *accidentally* creating threads. but then, he could be flat out exagerrating
-
The fact that WINE reimplemented the specs and also had the vuln makes me wonder. I can't wait to hear info from a microsoft person about this.
-
Karim
Trapped in a world he never made!
ScanIAm wrote:MSFT isn't Sony. They aren't stupid enough to purposefully leave in backdoor or easter egg code when the US Govt. requires them not to do so.
Aren't there easter eggs in Microsoft products...? [6]
My main problem with the "this was no mistake" theory is NOT that a backdoor is unthinkable, but rather that a metafile isn't really a good place to put one. To employ it, you'd have to force people to visit a site or otherwise acquire the metafile. And then it wouldn't be selective -- everyone who visited the site would get 0wned.
No, if you're going to intentionally put in a backdoor, you should implement something that doesn't require the user's participation. That would be the smart way of doing it. Microsoft may be evil, but they are not stupid. LOL
-
Yggdrasil
Pour me a cab, 'cause I can't drink no more.
Karim wrote:Aren't there easter eggs in Microsoft products...?
Not anymore.
I can't find the exact reference - it was either on a thread here or on his blog somewhere - but Larry Osterman explained that MS has a very strict no-easter-egg policy for several years now. They were removed for exactly this reason - they are a potential source of bugs, exploits and vulnerabilities for no appreciable business value. -
is this stuff for real?
I mean if Microsoft wanted to put a trojan in every one's pc, they can. And why do that when you have windows live update anyways?
LOL:P -
Apparently this exact same bug appears in Wine from following the specs, so it cannot be deliberate. I've got to learn to ignore pages where his name is mentioned.
-
ScanIAm
Edgar Allen Potato.
Don't be too hard on yourself. He's a professional huckster.
-
blowdart
Peek-a-boo
The digg reaction is pathetic, all the "Gibson sucks" messages got voted down with "shut up fanboi" reactions.
-
ScanIAm
Edgar Allen Potato.
I can't believe that this is the first comment:
codenexus wrote:
Steve Gibson could be wrong but boy he's usually really honest. Knowing how good he is at programming and how smart he is I think he's on to something. I hope not but somehow, sadly, I'm not surprised.
Thread Closed
This thread is kinda stale and has been closed but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.