lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 15 Jan 2006 13:42:50 -0800
From: Mike Ely <me@...pehat.com>
To: bugtraq@...urityfocus.com
Subject: Re: WMF vulnerability was a deliberate backdoor?


Brooks, Shane wrote:
> I've recently had my attention brought to a post from Steve Gibson in the grc.com forums, which contains the following quote:
> 
> <snippet>
> 	The only conclusion that can reasonably be drawn is that this [setAbortProc procedure] 
> was a deliberate backdoor put into all of Microsoft's recent editions of Windows.
> </snippet>
> 
> full article here:
> http://www.grc.com/x/news.exe?cmd=article&group=grc.news.feedback&item=60006
> 
> thoughts?
> 

Shane,

What you read was classic Gibson: a thorough discussion of a technical 
problem, followed by a wild speculative jump regarding the motives of 
the people who wrote the code.  He's been doing this for years, which is 
why you may notice folks here take a very jaded view of anything he says 
- ever.

In the specific case of his commentary on the WMV vulnerability, I have 
read the same writeup you have read, and what my read on it was that he 
was saying something like the following:
	"There's an unhandled exception that doesn't even need to be there in 
the first place, therefore it's a deliberate backdoor."
To me, this just screams "Does Not Follow!"  I've seen plenty of equally 
stupid mistakes coming from Redmond (and elsewhere) that didn't happen 
to result in remote code execution, but were nonetheless astonishingly 
dumb.  For example, up until a couple days ago, you could make the error 
handler at ideas.live.com write all sorts of amusing stuff to their 404 
page simply by appending it to the URL.  Was it a security risk? 
Possibly, probably not.  Was it really dumb?  Duh.

So my take on Gibson's post can be summed up as follows: Interesting 
writeup on the problem, but he's come nowhere close to proving to me 
that the WMF vulnerability was deliberate.  If he wanted to show me the 
sourcecode where it has a comment like "/* The following code is here at 
the behest of No Such Agency.  Do not remove from future versions. */" I 
might start to consider the possibility of some dark conspiricy.  As it 
stands, it just looks to me like Yet Another Dumb Screwup by Microsoft 
(YADSM).

Cheers,
Mike Ely

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ