What is Digg?213 Comments
- Squinty, on 10/12/2007, -1/+14Listen to the podcast. Yes, there is a comment at one point from Leo stating it's a black hole, but as you listen to the cast two things are clear: 1) Steve Gibson knows what he's talking about, corrects that statement, and notes that this is a "feature" of sorts, intentional yes, but not a black hole (it's a method to allow alternative processing when the initial processing of the WMF fails, like eror handling of sorts) and 2) Steve mentions that this has been in Windows since the earliest versions (since 95 I believe), and aside from the implementation amongst versions has had the same "feature" (because of differences between 95/98/ME and Win2k/XP, the latter has been patched whereas the former has not).
Take a moment and listen to the podcast, there is actually a lot of really good information on it. Steve Gibson is not a hack, the guy knows what he's talking about. I agree the statement Leo put up for the podcast is a bit misleading, but don't knock Steve or the the podcast itself for that mistake. - suqur, on 10/12/2007, -1/+11Here's a snippet of Steve's argument. He's saying it has to do with context, and undocumented features of the exploitable function:
LEO: Well, of course. But let me ask you one more - you're convinced there's no way this could have happened by accident. It can't be a programming error or bad design.
STEVE: No. No. I mean, you know, again, this is as much a surprise to me, Leo, as it is to, you know, anyone who hears this. I did not expect to see this. I expected to find, for example, that the way this exploit worked was that the SETABORTPROC was working correctly, and that I would give it a pointer to my own code a few bytes lower, then I would do something to force the metafile to abort, and then the metafile processing would use the pointer, the legitimate SETABORTPROC pointer, and then basically run the code that was located right there in the metafile. That's what I thought I was going to encounter, something that sort of made sense, like we were originally led to believe. Or actually I think, you know, Microsoft didn't say anything at all. So we just all kind of presumed this was another one of those coding errors that Microsoft now famously makes and corrects on the second Tuesday of every month. This wasn't a programming error. And, you know, so it's like, whoa. When I give it the magic key on the size of the metafile record, then it jumps directly into my code.
Now, again, I will know more in a week. I have to say that, you know, I want to call this preliminary. But I don't see any way that this was not something that someone in Microsoft deliberately put into Windows. - Nemsoli, on 10/12/2007, -1/+11Ok, before commenting LISTEN to the episode or read the transcript. This is BIG this is different that the design feature you guys are referring to. This is something new. And they were very very careful about what was said. And Steve Gibson is a very big advocate for Windows in general so this is not another anti-Microsoft attack.
- cawpin, on 10/12/2007, -1/+10First, the people on here bashing Gibson obviously didn't listen to SN or didn't pay attention when they were. To said bashers...
From http://www.grcsucks.com/unmaskinggibson.htm -
"Steve Gibson is known for one computer program and one computer program alone: a very old DOS-based disk repair utility called SpinRite last packaged on 1 April 1998 and finalised long before that. Aside from that single program, Steve Gibson has in essence written nothing."
From http://www.grc.com/sr/spinrite.htm -
Monday, June 7th, 2004 — SpinRite 6.0 Released
LAST PACKAGED in 1998 huh? Right...
Yeah, there seems to be a trend here, people not listening or reading. - dcer, on 10/12/2007, -1/+10did any of you bashers listen to the podcast? :rolls eyes:
- cgriffin, on 10/12/2007, -1/+9People need to listen to the podcast before commenting. There is a lot more explanation that the blurb at the top.
- BloodyRids, on 10/12/2007, -1/+8You retards who post on here after simply reading the headline, need to get your facts straight and do some research into the story before spouting rivers of whiny ***** out of your mouth. Steve never bashed Windows, nor Microsoft. He actually claims that more research is needed on his part. He's NOT screaming "run for the ***** hills, Microsoft is out to get us!" He just simply claimed that this MIGHT be a back door that was intentionally put into windows.
Stop and listen to the podcast or read the transcript. Stop assuming you know what the story is about. I'd give Steve Gibson a lot more credibility than some ***** on digg spouting off that "GRC sucks!" - jack1985, on 10/12/2007, -1/+6if you actually listened to the podcast or read the transciprt you would see that steve says in order to get the code to work you have to lie to the system about the filesize to make the code run
- Cander, on 10/12/2007, -8/+13"Um, I thought MS stated that it was there intentionaly for getting the format to work in the 1st place. Appently Mr. Gibson doesnt pay attention."
They did. For a security researcher, he doesn't keep up with current events to well.
News flash folks, MS put this in a long time ago as a feature to let developers insert code into WMF's. Yes it was a dumb idea, but it isn't a grand MS conspiracy theory like I am sure many were hoping for. - codenexus, on 10/12/2007, -2/+6Steve Gibson could be wrong but boy he's usually really honest. Knowing how good he is at programming and how smart he is I think he's on to something. I hope not but somehow, sadly, I'm not surprised.
- sandrino, on 10/12/2007, -1/+5Steve Gibson could be wrong but at least he is trying to figure this out and explain it to us which is more than Microsoft has done. No one outside of Microsoft can tell whether this was put in by design or surreptitiosly by some programmer. However it was put in, there is no doubt the backdoor is there and the manner that it is triggered is very odd. If you listen to the podcast you will understand why this is likely not just an omission or a mistake. If you have not listened to the podcast, you can't make an intelligent argument.
Steve is hardly a Microsoft or Windows basher. I doubt he is trying to bring Windows down. Since his expertise is on Windows, it's hardly to his benefit to hurt the Windows platform. If Steve Gibson is wrong, Microsoft can make a statement correcting him. Leo invited Microsoft to make a statement on the podcast. I cannot imagine how Leo and Steve could be fairer to Microsoft than that. - zhackwyatt, on 10/12/2007, -0/+4Regarding grcsucks.com/, I don't have any respect for someone where their sole purpose is to slander and discredit someone else.
- miker71, on 10/12/2007, -1/+4The FBI's "Magic Lantern" does not exist ... repeat after me ...
http://www.bbcworld.com/content/clickonline_archive_27_2002.asp?pageid=666&co_pageid=3
With the WMF install option closed to the FBI I guess they'll have to find another way to do their snooping on Windows boxes.
[/overparanoid] - markman07, on 10/12/2007, -1/+4"Does anyone here remember the Windows XP raw sockets uproar? I am sure that Steve Gibson is a smart guy and a great programmer, but I tend to take his sensationalist claims with a grain of salt."
Funny though isn't it how Microsoft removed it with a later Service Pack release!!! (silently of course) - realfinkployd, on 10/12/2007, -2/+5"There is no reason to switch to Linux because of a single flaw."
I agree. I use Linux, Solaris, AIX, and Windows (not to mention OS X on my laptop) at work, and I always say "use the best tool for the job".
However, "a single flaw"? Windows has certainly experienced more than a single flaw recently, and when determining if something is the best tool for the job, the history of security (or lack of) should certainly be taken into consideration. So should training, but really if you have your datacenter run by people who ONLY know Windows, you are really limiting yourself. - madpoet_one, on 10/12/2007, -2/+5Does anyone here remember the Windows XP raw sockets uproar? I am sure that Steve Gibson is a smart guy and a great programmer, but I tend to take his sensationalist claims with a grain of salt.
- kragar, on 10/12/2007, -0/+3WTF!!! I've been following this story all morning, and although there was good and bad commentary going on, it *IS* a valid story when you listen to the podcast or read the transcript. Where is it on the main page or top stories???
- loweredtone, on 10/12/2007, -1/+3This vulnerability has apparently been there since Windows 95. I don't know about you but the internet was hardly 'mass-media' back in 1994/5 so its highly unlikely they would have been able to predict that this backdoor would become usable 10 years later.
- Determination, on 10/12/2007, -1/+3Steve Gibson nut or not, in the context of this podcast, presents a reasonable argument (not a conclusion.)
Dugg. - darkmane, on 10/12/2007, -0/+2I listened to the podcast.. very unconvincing.
Steve's conclusion is that it must be a backdoor because he can't imagine how someone would screw up this particular way. I stopped trying to guess how people can ***** up a long time ago.
A challenge to everyone who thinks he's right: Raise the money for Steve to get a shared source license and give him a chance to look at the code.
For me, it's obvious what likely happened: One error case is not being checked for some reason and it falls through allowing data to be executed. All too common an occurrence.
No digg - clokwise, on 10/12/2007, -1/+3Raw sockets eventually came back to bite MS in the butt, thanks to the viruses which exploited it, and they had to cripple it in a service pack. SG was right all along.
I may not fully understand how he arrives at the conclusion that MS planted this WMF backdoor though. I guess the next step to take would be to examine all WMFs on the net for his newfound exploit and see who has been using it and for what purposes. - galfridus73, on 10/12/2007, -2/+4Will you people please RTFA or listen to the podcast? Listen to what Gibson is saying before you assume he doesn't know what he's talking about. At least read suqur's post above.
As for grsucks.com: I'm not going to deny that Gibson can be a resort to some scare tactics, but that site is just horrendous in doing anything to counter anything Gibson might be saying/doing wrong. - klynch, on 10/12/2007, -1/+3I am not surprised by the back doors in the OS - MS presumably disclose this sort of information to many sovereign governments through the program linked below
http://www.microsoft.com/resources/sharedsource/licensing/GSP.mspx
Every OS has back doors and vulnerabilities. as mentioned in the pod-cast the advantage of Open-Source is that you are taking advantage of transparency to ensure that you are secure rather than trusting a company.
Steve's opinion was that it was possibly a rogue programmer or something unauthorized but the interesting question he poses is how did the hole get through the famous Microsoft review?
I - mjohnston, on 10/12/2007, -2/+4It's good to see that this vulnerability is getting some exposure, but this article's synopsis is misleading. It is well known that the WMF vulnerability stems from an intentional feature in the design of WMF that allows code to be embedded into WMF images; this code is executed when the image is viewed. The original purpose of this was mainly to handle the cancellation of print jobs during spooling. This is a feature that has extreme security implications in the context of the Internet, but is from another time (Windows 95), when MS had very little interest in networking beyond trusted internal corporate environments. Over the years this code has lived on in Windows without being reviewed in the current context of Internet connectivity. Never ascribe to malice that which can be explained by incompetence. See http://en.wikipedia.org/wiki/2005_WMF_vulnerability for a lot more detail.
I don't mean to make an ad hominem attack (this podcast is actually fairly accurate), but Steve isn't exactly known for being a respected researcher in the security industry - he's a bit of a poser. He frequently hypes issues to crazy levels and tries to make himself look like a hero/expert. In fact, he usually offers little insight and often tries to pass off regurgitation (often inaccurate) as original research. Just listen to him in this recording talking about "rolling up his sleeves" and "wrote all my own code", etc - trying to sound like he substantially contributed to the security industry. Look up his stuff on nano-probes (http://grc.com/np/np.htm) for some really ridiculous stuff. I am a security professional and can tell you that it's mostly BS and/or hyped/obfuscated wording for technologies and techniques that have been in common usage for years and years before he wrote this crap.
Much better resources and much more insightful experts are accessible. Try http://www.schneier.com/blog/ and http://isc.sans.org/diary.php for FAR more interesting information. No one I know or work with pays any attention to Steve Gibson, except as a source of humor. :) - mjohnston, on 10/12/2007, -0/+2theone3: I did listen to the cast before posting; however, I just realized that it seems to be busted and cut off two thirds of the way through. I've now read the transcript. Sorry for responding without hearing the entire podcast. As I said, Steve seemed to be fairly accurate in what he was saying - I didn't intend my note on his credability to constitute an ad hominem attack. However, now having read the whole thing, I do think that he may be jumping to conclusions a bit too quickly.
We ARE talking about the SETABORTPROC vuln that everyone has been talking about; Steve just finds that the vuln doesn't work quite the same way that he was expecting. It seems that Steve is basing his accusation on the fact that he had to set the length field of the code containing WMF record to 1 (an illegal value) in order to get his code to execute. While this seems odd (and sounds like a "magic value"), there is likely a better explanation. Here's one possibility... The advisory from Secunia at http://secunia.com/advisories/18255/ says that the embedded code executes when any error is detected in parsing the WMF file (not only when canceling printing). Depending on how the parsing code was written, it may treat the invalid length value as such a parsing error, but may have already indexed the the beginning of the code block (since it knows the length of the record header) - it just doesn't know when the code block ends. It can then start executing the code block, even though it is an error in the code block's record that caused the error. I wonder if the code block would execute if the correct length was specified but the NEXT record in the WMF contained a similar error (like an invalid length field).
Again, I think that Steve is continuing on his sensationalist streak, jumping to conclusions and trying to drum up more fame for himself. He may very well be correct that someone has intentionally included this mechanism, but he is being premature in making such claims without first consulting the people who have a lot more experience with this vuln than he does. By the way, MS gives access to their source code to a LOT of outside parties - I'm sure that Steve could have found someone to take a look for him. - dcer, on 10/12/2007, -1/+3just to add some more info. This backdoor has nothing to do with printing WMF files - where the vunerability came from in the first place. If you put a *magic* length in the file it is executed.
- ArchonSG, on 10/12/2007, -1/+2Sensationist or not, nutcase or not, you guys aren't giving credit where its due. Steve Gibson might not be right and it might be possible that he is wrong but the fact that the vulnerability does exist. Like it or not, it is there to be exploited and like it or not, there will be people who will actively working to take any advantage they can, to get into your system and take over, and zombifying it.
At the very least, we'll see a hole plugged, which will be a good thing. - zhackwyatt, on 10/12/2007, -0/+1Anybody that calls someone a MS fanboy, must be a fanboy for some other camp.
Anyways, Microsoft is a business and nothing more. If they did intentionally put a backdoor into computer, don't you think that would hurt their business. Doesn't sound like a smart business move to me. - tylerWillard, on 10/12/2007, -1/+2"I know:
perl, C++, C, basic/visual
all the crappy ones. ASM is one of the HARDEST!"
Assembler may be the most cryptic but certaintly not the hardest. Wrapping your head around template instantiation rules, Koenig lookup, covariant return types, etc, etc, etc is lot harder than push, mov, pop, and addressing modes. - MikeG, on 10/12/2007, -0/+1 Sylvia Browne told me that Steve Jobs hired Linus Torvalds to plant an extraterrestrial mole into the Microsoft programming staff so they could insert code to hypnotize the world...no, waitaminute I'm just off my ***** meds again.
- hockeygoon, on 10/12/2007, -2/+3Time to slap an open source OS on the rest of my systems at work.
- ImpactedColon, on 10/12/2007, -0/+1Just FYI posters: Anyone who actually includes the sentence "I am a security professional and can tell you..." is automatically discredited. You're a security professional? Where's the link to your web site, or the weekly pod cast you produce with not just A TWIT but THE TWIT, Laporte himself. Very fascinating podcast, and if you can't bring yourself to listen to it, download the PDF. Jury's out (even for Gibson who has reserved the web page http://www.grc.com/wmf/wmf.htm for updates.
- SociopathicHaze, on 10/12/2007, -0/+1Gibson is a black hole of enthusiasm, and charisma.
- sandrino, on 10/12/2007, -0/+1In order to have a claim against Steve & Leo, Microsoft would have to show what damage it has been done to them. By suing they would attract attention to the issue and thus cause way more damage than Steve & Leo could have ever done. As popular as Security Now may be it does not reach as many people as the New York Times or the evening news. Only us geeks listen to podcasts like Security Now. And a lot of those people listening already know that Microsoft has awful security. Where is the damage?
You don't seem to realize just how hard it is to win a suit in court. Just because you are pissed at someone doesn't mean you can win a lawsuit. You have to have some legal basis to sue someone. Proving slander is not easy and lawsuits are expensive. Besides what can Microsoft expect to gain from Steve and Leo? They are not millionaires, they don't have deep pockets. Microsoft doesn't need or want their money. What Microsoft wants is for this issue to go away fast. They ARE NOT going to call any attention to it. They would cause more damage to themselves by suing than by sitting there and hoping it goes away.
If expressing an opinion, even an erroneous or stupid opinion was slander, Fox News would have been sued out of existance long ago. - Barnstormer, on 10/12/2007, -1/+2I think he got the spin rite this time.
- cornfused, on 10/12/2007, -0/+1When will congress, the DOJ, or the DHS investigate how a monopoly keeps getting "get out of jail free" cards while the rest of us spend billions cleaning up their messes?
Is it going to take a revolution to reclaim this country for the citizens and not the corporations? - NtroP, on 10/12/2007, -1/+2For Pete's sake! Listen to the interview before spouting off that Steve's an idiot.
I went into it with the idea that I already knew about it this too, and that he'd just be blowing smoke. This is new. This is NOT the SETABORTPROC issue that everyone's been talking about (at least not the way it was advertised to the world). This is an obvious (to me) back door. Whether MS proper knew about this, or it was just a rogue coder within MS that put it in, is still up for debate (and probably will be forever).
I think MS just got caught red-handed. You have to wonder where other backdoors are. I don't see how any (foreign or domestic) government agency could ever justify using closed source products after something like this for any secure system. They should be auditing and compiling the code they use from source. - _jinx_, on 10/12/2007, -2/+3"Steve is one smart cookie- he writes his stuff in assembly. I have lots of respect for him. Maybe he's wrong, maybe he's being sensationalist, but whatever he's doing- he's trying to do good."
LOL, you respect the guy cause he codes in ASM, it seems his choices in language barriers reflects his knowledge security. ASM is a great language but anytime some one says "If it's not written in ASm it's not worth coding". You've lost respect from a programmers standpoint. - boscorelle, on 10/12/2007, -0/+1i think we all deserve a >>> Microsoft's Explaination
- elfguy, on 10/12/2007, -4/+5Microsoft has already answered as to why they did not fix it on win9x, it's because 1- the only attack vector they can find would be thru printing, and 2- it would break functionality:
http://www.securityfocus.com/archive/1/421582/30/30/threaded - trogdoor, on 10/12/2007, -0/+1Somebody correct me if I am wrong but if this only works with a record length of 1 where the lowest possable/reasonable length should be 3 then this could easily be patched by just setting the pre-condition if( length < 3){ throw new MalformedLengthException(length); } and if so why did this take so long to patch?
I have read. - ArchonSG, on 10/12/2007, -1/+2I don't know the man, so my respect or lack of matters little. What I am saying is that while others fling dirt at Steve and calls him names I don't see anyone else stepping up to the plate to say "Hey! This is a hole that should have been fixed a long time ago...what took you so long and why?" Intentional or not, it was there.
All it takes for security flaws to exist is for people in the know to say nothing.
So here is someone who is saying something and you guys bash him.
/shrugs
BTW listen to the pod cast, its fairly obvious he's trying to do what's right. Which is more then what I can say for the other "security experts". - send0me0ur0spam, on 10/12/2007, -2/+3Steve cannot be wrong he does his home work before saying anything above all he is a honest guy.
- codeoptimist, on 10/12/2007, -1/+1Listen to the podcast before you start bashing it, for goodness sake.
Also, I believe the term is "backdoor", not "back-hole" or "black hole". - coldsteel, on 10/12/2007, -1/+1Intentional - well Duh!
Years ago when MS first proposed creating "active content" (i.e.adding code to "improve" content such as word documents etc) a lot of folks said this was a supremely dumb idea. The virus explosion kind of proved this and the proliferation of web bugs in documents and other "cookies" for tracking distribution and access has continued unabated to this day. MS back then, and presumably now hires smart people who are also aware of the issues and wouldn't have wanted to do this unless "strongly urged" to do so. My guess its the same folks that "strongly urge" the laser printer manufacturers to embed serial numbers and/or other codes into every document printed so that they can be traced. So Steve is probably correct in what he says but its just "Business as Usual" though. - deadkenny, on 10/12/2007, -0/+0"Windows back door rumor is bunk" story from The Register...
http://www.theregister.co.uk/2006/01/21/wmf_fud_from_grc/
Once again Steve Gibson is responsible for spreading panic, fear and lies through his own inflated opinion of his security expertise. - aldreneo, on 10/12/2007, -1/+1I know:
perl, C++, C, basic/visual
all the crappy ones. ASM is one of the HARDEST! SO dont diss him for knowing it. - cornfused, on 10/12/2007, -0/+0I expect dozens of Microsoft employees to come here and report this story as lame just to bury it. There is a serious "ethics" black hole in Redmond.
- robbh66, on 10/12/2007, -2/+2Steve is one smart cookie- he writes his stuff in assembly. I have lots of respect for him. Maybe he's wrong, maybe he's being sensationalist, but whatever he's doing- he's trying to do good.
I read his story about how he went and showed up a bot script kiddie in IRC (only took him hours to learn how to break into a pw protected room) a couple of years back- hes a really honest, good guy and if he says it I'm going to beleive it until its proven otherwise. - mc_hambone, on 10/12/2007, -1/+1@cawpin:
Yes, but there were many more antecdotes on the site than the Spinrite issue. Please take your own advice and read the rest (especially the articles written by other people about Gibson's lack of expertise). -
Show 51 - 100 of 212 discussions
The Digg Toolbar for Firefox lets you Digg, submit content, and keep track of Digg even when you're not on the Digg site. Download the official 
© Digg Inc. 2009
— Content created and posted by Digg users is