digg

Facebook Connect Join Digg About

Microsoft Disputes WMF Claim by Steve Gibson

blogs.technet.com The company says the function in question exists due to legacy code, not some nefarious intent.

Who dugg this? Made popular Jan 14, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

89 Comments

show profanity settings
expand all
  • oepapel, on 10/12/2007, -3/+8"Steve Gibson is a fake, a phony, as how the other digg user said it, a sensationalist. listening to him talk about security is like having a 3 year old discuss the technical issues regarding quantum mechanics."

    He targets his speech to the level of the audience listening/reading. He's not posting/podcasting for security experts. He "dumbs it down" because if he didn't then no one would listen/read.

    Complaining about this is like reading "security for dummies" and then complaining that it is not in-depth enough! I think he does a good job of explaining computer security to the secretaries and the mom and pops of the world. It saves me from explaining what a router is.

    And for the record, I don't think MS was malicious in this case.
  • SciGuy, on 10/12/2007, -0/+5Everybody here is missing the point. Steve is a Windows guy through and through. He has found something very scary here -- code that allows someone who knows into your system. It only worked, under his test conditions, if he entered an incorrect size in the metafile. This fact, and the fact that this hole (even without the incorrect size trigger) shouldn't exist in the first place make this seem to be beyond incompetence.

    Check out his response that was just posed on digg. As noted, this explanation from the blog explains why the hole was there in the first place (and why it wasn't initially dangerous) -- not why it became a backdoor in ME/2000/NT.

    This isn't a Steve popularity contest. It's a question of how and why someone left this hole open.
  • mrmartini, on 10/12/2007, -0/+4Steve and Leo aren't doing this to smear Microsoft, and they clearly note in the pod cast that they want Microsoft to have the chance explain the reasoning for this.

    If Microsoft has nothing to hide, let them release their code? And if you think Microsoft has your interests at heart more that the Security Now team, they yes, you get what you deserve.

    It's like saying we should take everything a politician says to us at face value, without any corroboration and if that's the world you want to live in, build a time machine and head back to German...1939 might be just right...
  • osrevad, on 10/12/2007, -0/+4DID ANYONE ACTUALLY LISTEN TO THE PODCAST?

    He never said Microsoft did this for sure. He said that from he could tell, it was the only explantion he could think of, and that he would probably be proven wrong by someone. It was just a theory he was stating.
  • theone3, on 10/12/2007, -1/+5A response! This guy needs to get on the show with Steve + Leo to explain it straight from the horses mouth.
  • Lynn, on 10/12/2007, -0/+3Gibson claimed that the flaw could be exploited only by using a byte size of 1 in the metafile record, which Toulouse says is incorrect. He surmised that Gibson's tests had the offending function as the last entry in the metafile, which caused only incorrect sizes to trigger the flaw.
  • karamba_kid, on 10/12/2007, -1/+4I think Steve Gibson had every right to call this a "Backdoor". The evidence that he gathered in his research suggest that this was intentionally put into the Operating System and with out being able to look at the source code you should always assume the worst (remember this IS Microsoft were talking about) He also said that he will look into it more and he even said that he could be very wrong on this one. Either way I'm personally staying far away from any piece of software that comes from Microsoft.
  • Sumyunguy, on 10/12/2007, -0/+3ummm...am I missing something here? The blog post doesn't even mention Steve Gibson!
  • einsteindesign, on 10/12/2007, -1/+4I don't understand how the Gibson claim was news to begin with. When the exploit first surfaced it was openly described as a built-in feature. The abortproc crap was intentionally in place as part of the WMF spec. Stupid idea but not malicious.
  • foxhoundadmin, on 10/12/2007, -0/+3legacy code? why was it there in the first place? steve is right--just a little over-the-top.
  • Aard88, on 10/12/2007, -0/+3Ok what am I missing here? This article doesn't mention Steve Gibson at all. Sure we can connect the dots, but this article doesn't specifically dispute by name anything claimed.


  • 5blocksfree, on 10/12/2007, -0/+2>> If he is right then no problem. The evidence is mounting that he is wrong.

    What evidence? Microsoft refutes the claim- that's evidence? Of course Microsoft will refute the claim - can you imagine what would ensue if it was intentional, and Microsoft admitted it?

    Then you have a bunch of security "experts" making general comments about it, without addressing the SPECIFIC reasons behind Gibson's claim.

    What evidence are you referring to?
  • cornfused, on 10/12/2007, -0/+2If you believe Microsoft, you get what you deserve.
  • jav1231, on 10/12/2007, -0/+2There is no doubt this was intentionally put in. Now think about how long this has been there. Microsoft practically abhored security in those days. So it's not exactly a stretch for them to use this as a backdoor but I wouldn't think they did. Does it place some kind of veil of righteousness over them if it's not a backdoor? No. It's still a clear illustration of the lack of concern for security they had and have had until very recently. Frankly, I think they forgot about it.
  • Guspaz, on 10/12/2007, -2/+4Steve does sometimes blow security problems out of proportion. He went on a crusade against UPnP, and states many incorrect facts about it. He tells users that one reason why it's so dangerous is that there is no way of knowing what ports are opened via UPnP. This is patently false, since Windows XP can give you a list of the open UPnP ports on the router by opening the properties dialog of the device via the Network Connections control panel. In addition, some routers/firmwares (such as dd-wrt) will provide a list of such ports in their interface.

    UPnP isn't actually a very big security risk, because it is only a problem if a nefarious program is on your system, and you allow it the ability to access the network. First of all, with good virus and malware protection (and a smart user who doesn't run random crap or click on EXEs in email attachments), the chance of having such a program on your system that you'd care about are nil. Secondly, if you run a host-based firewall (ZoneAlarm, Kerio/Tiny Personal Firewall, etc), the firewall will pop up a dialog informing you that said application is attempting to access the network. If it is a legit program trying to use UPnP, just hit "allow" and the port is mapped. If not, don't allow it.

    Steve makes it seem like UPnP can never be used safely, when in fact it isn't even a very big security risk WITHOUT a host-based firewall. If you have a trojan on your PC trying to open ports via UPnP, the UPnP part is the least of your concerns!
  • SniperGX1, on 10/12/2007, -0/+2Its the closed nature of this software that allows issues like this to turn into such a dispute. If it were open source there would be thousands reviewing the code to ensure it works. Microsoft brought this upon themselves. If you are concerned with all the security holes switch to a open source operating system. If you want to stick with microsoft then bend over and take it cuz it aint getting better.....ever.
  • brickbat, on 10/12/2007, -1/+3Hmm...Gibson or Microsoft....tough choice....

    Gibson in a heartbeat.
  • xero, on 10/12/2007, -1/+3If you put Microsoft in a room with the truth, you risk a matter/ anti-matter explosion. The fact is you can't trust microsoft. Ever. Steve is a bit of an alarmist but most of the times right (from what I can tell.) So you have to ask yourself if you believe a company that makes buggy software and lies to it's users all the time, or an alarmist security expert. I pick the expert.
  • vr1000, on 10/12/2007, -0/+2This just confirms that MS is carrying a lot of spaghetti code in Windows. You would think with all their money, and their supposedly genius level employees that the code would be a little tighter.
  • nullvector, on 10/12/2007, -1/+3I dont know why people listen to Gibson. To me it seems like he's one step short of total paranoia and fear mongering. I like to get my data from industry sources such as the companies that actually write the software, and publish the anti-viral/spam fixes. Listening to a third party isnt always accurate.

    Security is important, but facts and truth are more important. "Conjecturing" on something that you haven't personally written or coded is often the first step to misreading the situation.

    Like others above, I have to question a "security expert" who isn't patient enough to wait out an official response before offering up summary judgements in public about a company's motives.
  • inactive, on 10/12/2007, -0/+2Of course the real tragedy is that just because Microsoft immediately deny what he is saying is true everyone immediately believes them - just as they believed M$ could be capable of deliberately inserting a back door into the worlds favorite OS (ha!)

    When you get your information from the same place you get your misinformation, who is there left to really trust?

    On a lighter note, I use a Mac.
  • link470, on 10/12/2007, -0/+2whoa whoa.....wait, the microsoft guy is a horse?!
  • ramsinks.com, on 10/12/2007, -0/+2Um, its clear that blog dosnt mention steve.. however they quickly had to write something to cover there asses.

    wake up kids.
  • Steve95613, on 10/12/2007, -0/+2The headline is misleading, since Steve Gibson isn't mentioned anywhere in the story. The article is an opinion, the opinion of the author. What Steve has to say about EMF is his opinion.

    So why all the hate? Whether you agree or disagree with Steve Gibson, has he done anything horrible to the Internet community? At the least, he has shown people how to make their Internet experience a little safer, how to make it a little harder for bad people to do bad things, and is part of an informative and helpful podcast.
  • Lynn, on 10/12/2007, -2/+3Also see this slashdot post:

    http://it.slashdot.org/comments.pl?sid=173878&cid=14466008
  • embraceware, on 10/12/2007, -0/+1I've been a huge fan of security now - I wasn't impressed with Steve on this last episode. Very poorly handled.
  • einsteindesign, on 10/12/2007, -0/+1"...Why? What he was saying is true...."

    You need to understand the definition of slander. The only fact is that the WMF spec included the abortproc thingy. To comment on WHY they included it, and to accuse them of doing so in a deliberate attempt to create a backdoor (or whatever) is flat out libelous.
  • einsteindesign, on 10/12/2007, -0/+1@replica...

    That's code for teh buttsecks.

    But seriously, why the hell would you create a backdoor -- if your intent was to enter a machine whenever you wanted -- when the method relies on the user viewing a specific graphic containing an explot? Owning a user machine in the era of Win 3.0 would accomplish what exactly? 14.4 was still pretty fast, spam came in the form of junk faxes, and zombies only existed on ***** late night movies. There's no MOTIVE to create a backdoor on a user machine with a remote trigger.
  • replica, on 10/12/2007, -0/+1Steve could be in legal trouble. He is saying Microsoft did this intentionally. He is saying this as a fact. His Windows MetaFile Backdoor research and vulnerability utility uses the term "backdoor" five times. Twice it is referred to as a "Secret Backdoor" WTF?

  • replica, on 10/12/2007, -0/+1@einsteindesign

    He even calls it a "Secret Backdoor"
  • mntpng, on 10/12/2007, -1/+2There is lot of misinformation being thrown back and forth here. You really have to listen to his podcast and then see his write up as well as his rebuttal to his criticism. Also I think you have to be a seasoned programmer to understand why he came to this conclusion. I think he has presented sufficient evidence to be alarmed about and raises some important questions. I have yet to read a point to point technical rebuttal on his claims. So far I've only seen personal attacks, and some very broad denial without any alternate plausible explanation of his findings.

    I know there is a rampant MS fanboyism going on here as well as some astroturfing. The obvious "Steve is an idiot" type of comment actually leads me to believe he is actually onto something here. The sheer amount of efforts to discredit the messenger but not the message itself only makes me think that he indeed has stepped onto something pretty big. You have the right to disagree with him but doing it without any factual alternate view just makes you look like some immature fourteen year old boys who's been standing in line to buy an XBOX 360 for too long.
  • cornfused, on 10/12/2007, -0/+1Where's the 1200+ digg story that brought this up yesterday? Why is this site so easily censored by Microsoft and its fanboys?
  • geminitojanus, on 10/12/2007, -0/+1This rebuttal is very sensical, and that's a rare thing from Microsoft and anyone that works for them, but it also is very odd..

    The person who answered it referred (almost explicitly) to Steve Gibson, but referred to him implicitly as "the people". Whether he just wanted to go on the record, was told to go on the record, or simply wanted to put a corporate mask over an answer for Microsoft to speak up for the bug, his speech was tactful and on point.

    To tell you the truth, I'm just glad that there's a little bit better understanding of why this doesn't work for the older versions of Windows, and that Microsoft was responsible enough to patch it, even if they weren't entirely timely about it (faster than their normal patch cycles, still slow enough that people were able to release their own patch before it).
  • boscorelle, on 10/12/2007, -0/+1Steve Gibson proposed a theory.....the real truth of it is that we will probably never know for sure
  • aussiehuw, on 10/12/2007, -0/+1This Microsoft blog post doesn't explain why an incorrect value will trigger the callback immediately, rather than in the next metafile record.
  • sandrino, on 10/12/2007, -0/+1If it isn't a back door, why is the code still in there? They had a "security review" of their code and they still left this in. Why didn't they take it out then?

    If you think this isn't worrisome, remember that the military uses WIndows. Do you want the computers in our nuclear submarines and aircraft carriers, etc. having vulnerabilities like these? Do you want your personal information in a computer that can be compromised so easily?

    I don't think that our government should be using a closed OS unless they are allowed to audit it. Problems like these are not just inconvenient anymore, they can do a lot of damage. This issue deserves serious exploration and it is not a matter of hating Windows or being a Mac fanboy.
  • diggnationdevon, on 10/12/2007, -1/+1I agree with Microsoft.
  • maloney_633, on 10/12/2007, -0/+0Of course Microsoft will refute the claim
  • Snarfalunch, on 10/12/2007, -2/+2Microsoft Disputes WMF Claim by Steve Gibson
    How in the f*ck is this news. What on earth did you expect, a Microsoft statement that, "Yes by golly Steve is right. It's a backdoor and we did it"? Geez you are easily suprised.
  • OBKenobi, on 10/12/2007, -0/+0Nothing to worry about. There are 500 other backdoors in Windows just like this.
  • mtupker, on 10/12/2007, -0/+0The problem here is that everything I've heard from both Microsoft and Gibson sounds plausible. The only thing that's might point to the truth is the fact that the flaw exists in wine as well.
  • Metal_Hurlant, on 10/12/2007, -0/+0mod parent up +1 Funny!

  • Chas555, on 10/12/2007, -0/+0I cannot believe for one minute that Microsoft did not leave a backdoor in there product/products.
    I isn't in their nature to play fair.
  • macko, on 10/12/2007, -2/+2this is getting super annoying.

    Digg = Linux is cool = MAC love = Microsoft hate.

    seems so childish to assume anything.

    Just because it's Linux doesn't mean it's cool...and just because you love Mac doesn't mean it's the best OS in the world...and just because it's Microsoft doesn't automatically mean it's awful and malicious.
  • RAT-Man, on 10/12/2007, -0/+0Damn, I still have to listen to this weeks Security Now episode. I'll see if this story is digg worthy after I listen.
  • asdfer, on 10/12/2007, -0/+0LOL - If only they released Windows' source-code along with a nice documentation.
  • panditacjp, on 10/12/2007, -1/+1Man, now we know Bill lets his employee's Digg.............. Windows sucks..
  • eastshores, on 10/12/2007, -2/+2"I'd like to see Steve's response to this. He might need to eat quite a bit of humble pie."

    After the number of digg readers that hit his site and learned of him yesterday... I doubt he really cares. Mission Accomplished *radio noise*
  • stalinvlad, on 10/12/2007, -0/+0Well good to hear Win9x is safe , I still have a 6 yo laptop with 98 on it
  • Barnstormer, on 10/12/2007, -0/+0Not a lawyer, but I don't think that speculating or opining that someone within" MS put a hook or back door in their O/S is actionable libel (or whatever the corporate equivalent of libel is). Steve seemed to take pains to qualify his statements to cover an individual developer acting on his own to put this in the product without MS necessarily authorizing it. He did express incredulity that it passed security review.

    That said, I can also understand the article's author's comment that when originally implemented it was assumed that the O/S could trust the process using the WMF callback design. That would be naive now but not then.

    Anyway, the big kick I got from the original podcast was Gibson saying that this is exactly the sort of thing that makes the case for open source.
  • Fetching more discussions...
    Show 51 - 87 of 87 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.