|
WMF Redux: Microsoft Denies Planting WMF Flaw as Backdoor
Published: January 18, 2006
by Alex Woodie
Sony-BMG did it with its CDs, and now faces the wrath of angry consumers. So did Symantec, which was criticized last week for attempting it with its security software. Now Microsoft has been accused of secretly planting a backdoor--in the guise of the recently discovered and patched Windows Metafile (WMF) flaw--that allowed hackers to compromise an affected system. The software giant denied this accusation.
Windows security researcher Steve Gibson, in his regularly scheduled podcast last week, leveled the accusation that Microsoft intentionally left a hole in its graphics rendering engine, which became known as the WMF Flaw, so that it could remotely access Windows users' PCs over the Internet.
Gibson says he developed this theory while trying to understand how the WMF flaw actually worked. In his weekly broadcast with co-host Leo Laporte, a transcribed archive of which is available here, Gibson says he was dumbfounded to find that Windows would still execute the next line of code in a print job, even if that print job has been aborted.
"What I found was that, when I deliberately lied about the size of this record and set the size to one and no other value, and I gave this particular byte sequence that makes no sense for a metafile, then Windows created a thread and jumped into my code, began executing my code. Okay, Leo? This was not a mistake. This is not buggy code. This was put into Windows by someone."
Gibson, who develops Windows utilities when he's not, in his own words, practicing hacking, says he's not sure of the intention of the person who wrote this vulnerability into the Windows graphic engine. He says it could have been put there intentionally by a Microsoft programmer without the knowledge of senior management, or that it could have been a non-malicious way for Microsoft to display graphics in a Web browser when other methods, such as ActiveX controls, are turned off or blocked for security purposes.
Microsoft's security team did not take Gibson's accusation lying down. Last Friday, one day after Gibson leveled his accusation, Microsoft's Stephen Toulouse, in a posting on the Microsoft Security Response Center Blog, aimed straight at the technical heart of Gibson's accusation, that one is the magic metafile key size for running arbitrary code on a Windows system through the WMF flaw, and that this could only have happened intentionally.
"There's been some speculation that you can only trigger this by using an incorrect size in your metafile record and that this trigger was somehow intentional," Toulouse wrote in the blog. "That speculation is wrong on both counts. The vulnerability can be triggered with correct or incorrect size values."
The episode reflects the growing suspicion on the part of many in the IT community that large corporations are secretly including so-called "rootkits" with their products. Rootkits, a form of malware that was first developed for hacking through Unix defenses, can be used to plant Trojan horses onto computer systems that allow hackers unfettered access.
Security vendor Symantec has drawn the ire of Windows users for a hidden library in its Norton SystemWorks software that could provide secure locations for hackers to hide their malware on users' systems. In an explanation it posted to its Web site last week, Symantec admitted this was a bad design. "Files in the directory might not be scanned during scheduled or manual virus scans. This could potentially provide a location for an attacker to hide a malicious file on a computer."
Similarly, Sony-BMG has egg on its face after admitting that more than 6 million of its music CDs contained secret copy protection programs that actually provided an alleyway for hackers to infiltrate victim's computers. The company has offered to replace the 2 million affected music CDs that have already been sold, and has recalled an additional 4 million affected CDs that have not been sold yet.
Rootkits are a growing security threat for Windows users because they can provide the means for installing many types of malware on systems, they are hard to detect, and many users are not aware of the presence of rootkits.
In 2005, Microsoft stepped up attempts to shed light on rootkits, which it says are nearly undetectable. In its recent security paper, titled "Rootkits: The Obscure Hacker Attack", Microsoft advises customers to use a tool, such as Sysinternal's Rootkit Revealer to flush out hidden rootkits.
In his podcast, Gibson said he was still researching the vulnerability.
|
