Steve Gibson at it again [Case closed] | The Coffeehouse

Rossj

So now Steve Gibson is claiming that the WMF flaw was deliberate, put there by Microsoft in order to provide a back door. Is this guy for real? Next he'll be complaining that the US never landed on the moon ...

JohnAskew
9 girl in pink sweater

Deliberate as in required by NSA? Wink

EDIT: I think the acronym speaks for itself: WMF

barogers
Come On Fhqwhgads!

"Mr. Potato Head! Mr. Potato Head, back doors are not secrets! They're not tricks!"

Tom Servo
W-hat?

He's still making a living on his disk recovery snake oil?

ScanIAm
On a scale of 1 to 10, people are stupid.

Mr. Gibson is obviously smoking crack.

Edit: BTW, anyone who has ever seen the movie 'hackers' knows about 'hacking the gibson'. I know the reference is to William Gibson, but every time I see Steve Gibson, I think of this reference. The thought chain goes like this:

1) Steve Gibson blah, blah, blah
2) Hacking the Gibson!
3) Careful with that Axe Eugene!

Karim
Trapped in a world he never made!

Yeah I saw this on digg...

His point, if I understand it, relates to the fact that each metafile record has a four-byte length value, the minimum length is 6, and that when you incorrectly set the length to a specific value -- 1 -- Windows starts executing the next byte in the metafile.

Apparently if you use other invalid record lengths -- 0, 2, 3, 4, 5 -- nothing bad happens. The only invalid length that causes execution of a WMF is "1."

I think his contention is that, if it was a bug, other invalid lengths should also trigger the execution of code. (e.g. a length of "0" or "2" should cause the same problem).

Steve: And so, you know, because I'm a developer when I'm not being a hacker, I wanted to understand - oh, and the other thing is, I want to write a robust testing application, you know, that always works all the time. So I wanted to know, like, okay, what bytes have to be set which way, what matters, what doesn't. Because, you know, that's the way you get something that is as solid as, you know, the code that I put out from GRC. So what I found was that, when I deliberately lied about the size of this record and set the size to one and no other value, and I gave this particular byte sequence that makes no sense for a metafile, then Windows created a thread and jumped into my code, began executing my code. Okay, Leo? This was not a mistake. This is not buggy code. This was put into Windows by someone. We are never going to know who.

I think going all X-Files and saying "This was not a mistake" is a little premature at this point... it's worthy of investigation, of trying to figure out why a "1" gets treated as a special invalid value, but you need to gather a bit more evidence before you go around making accusations like that...

W3bbo
The Master of Baiters

Karim wrote:
Steve: And so, you know, because I'm a developer when I'm not being a hacker, I wanted to understand - oh, and the other thing is, I want to write a robust testing application, you know, that always works all the time. So I wanted to know, like, okay, what bytes have to be set which way, what matters, what doesn't. Because, you know, that's the way you get something that is as solid as, you know, the code that I put out from GRC. So what I found was that, when I deliberately lied about the size of this record and set the size to one and no other value, and I gave this particular byte sequence that makes no sense for a metafile, then Windows created a thread and jumped into my code, began executing my code. Okay, Leo? This was not a mistake. This is not buggy code. This was put into Windows by someone. We are never going to know who.

Was this a transcript of a spoken interview?

...because I don't usually trust people who include things like "- oh and the other thing is", ", you know,", or "like, okay" in written correspondance.

ScanIAm
On a scale of 1 to 10, people are stupid.

Karim wrote:
Yeah I saw this on digg...

I think his contention is that, if it was a bug, other invalid lengths should also trigger the execution of code. (e.g. a length of "0" or "2" should cause the same problem).

I'm amazed that Steve "I'm a hacker" Gibson can't figure out that a bug like this probably won't act in predictable ways. How does he know that setting the length to anything other than 1 doesn't cause other strange, but undetectable things to happen?

He might have stumbled upon the reason that it took so long to find this bug...it only fails if the value is 1. Why? Who knows, but I'm willing to bet it has something to do with byte boundaries.

MSFT isn't Sony. They aren't stupid enough to purposefully leave in backdoor or easter egg code when the US Govt. requires them not to do so.

Karim
Trapped in a world he never made!

W3bbo wrote:
Was this a transcript of a spoken interview?

Yes. The link's at the top of the thread:

http://www.grc.com/sn/SN-022.htm

The MP3s of the podcast are at the top of that page. Other episodes available at:

http://grc.com/securitynow.htm

Rossj

Karim wrote:
then Windows created a thread and jumped into my code, began executing my code.

The bit that worried me was the 'created a thread' bit. That sounds fairly deliberate, I'd be worried if my code was *accidentally* creating threads. but then, he could be flat out exagerrating Smiley

Wells

The fact that WINE reimplemented the specs and also had the vuln makes me wonder. I can't wait to hear info from a microsoft person about this.

Karim
Trapped in a world he never made!

ScanIAm wrote:
MSFT isn't Sony. They aren't stupid enough to purposefully leave in backdoor or easter egg code when the US Govt. requires them not to do so.

Aren't there easter eggs in Microsoft products...? [6]

My main problem with the "this was no mistake" theory is NOT that a backdoor is unthinkable, but rather that a metafile isn't really a good place to put one. To employ it, you'd have to force people to visit a site or otherwise acquire the metafile. And then it wouldn't be selective -- everyone who visited the site would get 0wned.

No, if you're going to intentionally put in a backdoor, you should implement something that doesn't require the user's participation. That would be the smart way of doing it. Microsoft may be evil, but they are not stupid. LOL

Yggdrasil
Pour me a cab, 'cause I can't drink no more.

Karim wrote:
Aren't there easter eggs in Microsoft products...?

Not anymore.
I can't find the exact reference - it was either on a thread here or on his blog somewhere - but Larry Osterman explained that MS has a very strict no-easter-egg policy for several years now. They were removed for exactly this reason - they are a potential source of bugs, exploits and vulnerabilities for no appreciable business value.

Shark_M

is this stuff for real?

I mean if Microsoft wanted to put a trojan in every one's pc, they can. And why do that when you have windows live update anyways?

LOL:P

Rossj

Apparently this exact same bug appears in Wine from following the specs, so it cannot be deliberate. I've got to learn to ignore pages where his name is mentioned.

ScanIAm
On a scale of 1 to 10, people are stupid.

Don't be too hard on yourself. He's a professional huckster.

blowdart
Peek-a-boo

The digg reaction is pathetic, all the "Gibson sucks" messages got voted down with "shut up fanboi" reactions.

ScanIAm
On a scale of 1 to 10, people are stupid.

I can't believe that this is the first comment:

codenexus wrote:

Steve Gibson could be wrong but boy he's usually really honest. Knowing how good he is at programming and how smart he is I think he's on to something. I hope not but somehow, sadly, I'm not surprised.

DoomBringer
Doom!

ScanIAm wrote:
I can't believe that this is the first comment:

codenexus wrote:
Steve Gibson could be wrong but boy he's usually really honest. Knowing how good he is at programming and how smart he is I think he's on to something. I hope not but somehow, sadly, I'm not surprised.

dear god the slashdot crowd has taken over teh digg!!!!11oneone!

Stepto
Not everyone at the MSRC shaves their head.

MSRC is on the case. Blogged earlier today:

http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx

S.

LaBomba
Summer

hahahah cool Stepto!

Stepto
Not everyone at the MSRC shaves their head.

BTW doombringer, you might be interested to note a little trivia, I have a cameo in Doom3. Look for the PDA entry by Steve "Tooloose". :>

I grew up in Dallas and know Xian over at id software.

EDIT: http://www.stepto.com/default/images/cameo.jpg

S.

ScanIAm
On a scale of 1 to 10, people are stupid.

Stepto wrote:
MSRC is on the case. Blogged earlier today:

http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx

S.

Very, very interesting. I'm going to suggest that we offer Mr. Gibson his choice of tinfoil beanies.

BryanF

I love the obligatory explanation between hacker and cracker. At some point, I'd think people just accept that the the meaning of the word has changed, much like how the word gay now refers to the homosexual community. No ammount of "correction" is going to change things at this point.

EDIT: Just so we're clear, I don't want that example to be taken in a derogatory faashion; it just seemed like an example everyone would understand. A more neutral example: the word computer used to refer to a human being.

Rossj

Thought I better back up my claim that Wine is susceptible to the same flaw before someone calls me on it, and a link to the diff describing a Jan 6th update.