informa
/
4 min read
article

Lower That Windows Threat Condition Level, Please

Well, darn. I was hoping Steve Gibson was right last week and Microsoft had planted a secret backdoor in the Windows Metafile format (WMF) that would let Bill Gates run mind-domination software on all our PCs and achieve his goal of taking over the universe. Yesterday Gibson said after another week of looking at it that the backdoor is d
Well, darn. I was hoping Steve Gibson was right last week and Microsoft had planted a secret backdoor in the Windows Metafile format (WMF) that would let Bill Gates run mind-domination software on all our PCs and achieve his goal of taking over the universe. Yesterday Gibson said after another week of looking at it that the backdoor is definitely there, but he apologized for any implication that it might be malicious.Gibson is one of the most serious bitheads on the planet: his hard-disk data recovery and maintenance utility SpinRite is a required tool if you have to maintain PCs for a living.

His original charge came in Edition 22 of his weekly podcast with Leo Laporte, Security Now. He had been looking at Microsoft's patch for the WMF vulnerability that allowed a malformed metafile to execute malicious code. Microsoft had posted the patch on Jan. 5, and Gibson, ever the gadfly, was concerned before it came out that Microsoft had unnecessarily delayed it, and after it was issued that Microsoft, by calling it serious rather than critical was deliberately exposing users of Windows 95-98-ME-NT4 to harm.

(The explanation is complex: Microsoft has promised it will fix "critical" issues even in operating systems it is no longer maintaining, but no merely serious problems. Gibson's charge was that Microsoft had deliberately downgraded the severity of the WMF threat in order to avoid fixing it, and thus put pressure on users of older OSes to upgrade to current versions.)

In his podcast last week he said he had discovered that the WMF vulnerability used by hackers was deliberately planted in Windows code by Microsoft, and had a clear trigger mechanism to start executing code tucked into a WMF file.

Microsoftian Stephen Toulouse quickly responded with an entry on the Microsoft Security Response Center Blog which said that what Gibson was seeing (a function called SetAbortProc) was basically an artifact in the code that had no good reason to be there. It had been part of the original Windows Graphic Display Interface code (it was a call-back from Windows to the application-defined abort function that allows a print job to be canceled during spooling) and when metafile support had been added to Windows the SetAbortProc function had been picked up along with the rest of the GDI code and dumped into WMF even though it really had no good reason to be there.

Gibson, for his part, seems to have come to pretty much the same conclusion. Yesterday, in Edition 23 he explicitly apologized for any implication that the WMF vulnerability was malicious behaviour by Microsoft, and said he wrong about the trigger. He maintained his conclusion that it was obviously intentional, but said there was no way of knowing who put it into the code or why. He said that his research into the problem had shown that Windows 95-98-ME were definitely not vulnerable to WMF exploits so users of those OSes don't have to worry, but NT4 is vulnerable and unpatched.

(The vulnerability seems to be limited, though. Exploits built on the WMF vulnerability typically execute in a user environment -- opening a metafile in the default viewer, even indexing a metafile in Google Desktop Search -- while where NT4 is still running is mostly on servers where these tasks are probably extremely rare. There are a couple of utilities, Gibson said, that can protect NT4, as well, that he identifies on his Web site.)

If you like this sort of very techy food-fight you should visit his Web page. There you will find a neat little utility, "Mousetrap," he wrote to check your system for the WMF vulnerability. But if you had hoped that this time Microsoft would get it caught in a crack, it looks like you're going to be disappointed once again -- along with Gibson.

For me, Toulouse's explanation rings true: I'm perfectly willing to believe it wasn't intent to do evil that put the SetAbortProc function into the WMF code; it was simple incompetence. That's the Microsoft I know and love.