As you may know, security expert Steve Gibson said if Microsoft didn’t release a patch for Windows 9x, he would, so he set about doing that. Steve spent plenty of time researching exactly how the WMF exploit works, and found something very scary indeed. According to Steve, the WMF exploit was not and error, it was a deliberate backdoor from Microsoft, enabling those in the know to execute code.
A WMF file is really a graphic script which tells Windows to draw a line here which is this long, and a rectangle over here which is “x” high and “y” wide with a purple fill colour, and so on. To aid this, the file contains headers, including one for length of record (each line, rectangle or otherwise is a record”). Setting this value to 1, which is a perfectly invalid number in this context, makes Windows behave in an odd manner…it treats everything after that in the file as executable code and runs it.
Steve:But the only conclusion I can draw is that there has been code from at least Windows 2000 on, and in all current versions, and even, you know, future versions, until it was discovered, which was deliberately put in there by some group, we don’t know at what level or how large in Microsoft, that gave them the ability that they who knew how to get their Windows systems to silently and secretly run code contained in an image, those people would be able to do that on remotely located Windows machines…
Leo: So you’re saying intentionally or – Microsoft intentionally put a backdoor in Windows? Is that what you’re saying?
Leo: Well, that’s a pretty strong accusation. Could this not have been a…
Steve: Well, it’s the only conclusion…
Leo: It couldn’t have been a mistake?
Steve: I don’t see how it could have been a mistake. Again, I’m going to continue to look at it. But from what I’ve seen now, this had to be deliberate.
Leo: But let me ask you one more – you’re convinced there’s no way this could have happened by accident. It can’t be a programming error or bad design.
Steve: No. No. I mean, you know, again, this is as much a surprise to me, Leo, as it is to, you know, anyone who hears this. I did not expect to see this. I expected to find, for example, that the way this exploit worked was that the SETABORTPROC was working correctly, and that I would give it a pointer to my own code a few bytes lower, then I would do something to force the metafile to abort, and then the metafile processing would use the pointer, the legitimate SETABORTPROC pointer, and then basically run the code that was located right there in the metafile. That’s what I thought I was going to encounter, something that sort of made sense, like we were originally led to believe. Or actually I think, you know, Microsoft didn’t say anything at all. So we just all kind of presumed this was another one of those coding errors that Microsoft now famously makes and corrects on the second Tuesday of every month. This wasn’t a programming error. And, you know, so it’s like, whoa. When I give it the magic key on the size of the metafile record, then it jumps directly into my code.
Steve: Now, you know, if Microsoft had said last week, whoops, this was an undocumented backdoor or means for us to run code in a metafile, we never documented it, our security sweeps didn’t find it, blah blah blah – but nothing was said. They allowed the industry to believe that this was just like all their other code mistakes, but this wasn’t like all their other code mistakes.
Leo: Well, it’s a very serious indictment, if not of Microsoft, maybe of a renegade programmer inside Microsoft. If you were doing a code review, would this kind of thing stand out? Would it be fairly obvious that something was going on?
Steve: Yeah. I mean, I’ve seen Microsoft source code. In the old days they used to publish the source for what’s called the DDK, the Device Driver Kit. And, you know, they’re very cautious about, you know, on a module-by-module basis, there’s the person’s name or initials and when they made changes and what they made to the code that follows. So, I mean, again, Leo, we’re never going to know for sure. I mean, I’ve been in this position with Microsoft in the past, or similar positions. And, you know, it’s very difficult to get a straight answer from them. So I don’t know what their source says. But it seems to me that somebody had to have seen relatively recently, certainly since Windows 2000, had to have looked at the code, seen that this was something that was there, and just kind of nodded to himself and said, yup, that’s what we want to have in our metafile processing code.
Leo: Wow. Well, I’m sure we’ll hear more about this. I think you probably are going to stir up a hornet’s nest here. And if Microsoft would like to come on the show and respond, you absolutely are welcome to do so. I’d like to hear an explanation.
In the interests of space, I have not copied every detail, and there is a lot discussed. You can rea the full transcript at http://www.grc.com/sn/SN-022.htm  or listen to Security Now! Episode 21 at http://media.grc.com/sn/SN-022.mp3 .
Steve is rarely wrong about these things, so this is a major concern. There is some use for this “feature” in that Microsoft could have embedded a super important patch on all of their websites and had it patch an awful lot of computers, but it was also an accident waiting to happen, which did happen a few weeks ago.
As Steve said, this is something which would stand out in a code security audit, and Microsoft have done a few audits on their code, so this almost has to have been something Microsoft purposefully placed there.
More details as they come to hand.