It turns out that Steve Gibson was mostly correct when he announced that he thought the WMF exploit was a deliberate backdoor [1].
It would appear that Steve stumbled on another part of the exploit, rather than the section which was being used. Steve uncovered a section which made use of an invalid length record in metafiles with only one record. It is the considered opinion of independent security experts that this section of the code was deliberately implemented by the programmer as a way of executing code in a metafile. Whether or not it is a backdoor is dependent on your definition of backdoor. Whilst it is a program backdoor similar to “secret” master BIOS passwords set by the manufacturer, it isn’t a backdoor in the “malicious person remotely gains access to your computer” sense (although it can contain code to do such things).
Steve has now, in collaboration with other experts, created a WMF exploit tester [2] which tests for all the known ways of exploiting the WMF exploit, on Windows and WINE.
The following operating systems and envoironments are vulnerable to the WMF exploit until a patch is installed:
- Windows Vista beta
- Windows XP
- Windows 2000
- WINE
The following operating systems are vulnerable and will not be patched by Microsoft, you must run a vulnerability supressor such as the one from NOD32 [3] (it’s free) on these operating systems.
- Windows NT 4
All other operating systems are safe.
You can download the vulnerability tester, and read more about the WMF exploit from http://www.grc.com/wmf/wmf.htm [2], the page includes a detailed Q & A about the vulnerability, including analysis from Microsoft and security experts other than Steve.
Whilst I appreciate that there are people who disregard just about everything Steve says, I think he has written a fairly comprehensive, well thought out, and unbiased article on that page. If nothing else, there is a good vulnerability tester there for anyone and everyone to check their systems.
Also, you may be interested in his discussion with Leo Laporte about the WMF exploit in the most recent edition (episode 23) of Security Now! [4]. Steve explains his vulnerability tester, and the discussion explains the exploit.
Samuel