digg

Facebook Connect Join Digg About

Steve Gibson Responds to Microsoft Blogger

grc.com Steve basically confirms that 9x based systems are safe, but still wonders why the functionality of SetAbortProc() changed from 9x to NT kernels.

Who dugg this? Made popular Jan 14, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

94 Comments

show profanity settings
expand all
  • oepapel, on 10/12/2007, -0/+17I have a possible explanation on how this got added with Windows 2000. At least it makes sense to me.

    Before Windows 2000, NT was it's own OS with it's own personality. It was fairly secure (for the time), had ACL's for every kernel object, and had it's own implementation of GDI and USER that were more or less compatible with the Win9x versions. At the time, it was kind of assumed that the vast majority of people would recognize the superiority of the NT code base and transition to it and the early adopters would make sure that their code would also work on NT, making changes as necessary to support the "not quite" compatible GDI and USER. It was also competing against OS/2 which, as an alternative, required a total rewrite.

    Then a funny thing happened. The Win9x code was viewed as "good enough" and some UI updates that never made it to NT convinced people that NT wasn't the way to go. So Microsoft made a hard turn to the left and decided to produce a "merging" OS (Windows 2000) that had the stability of NT and the cool UI of Win9x. This caused the NT team to have to swallow a lot of pride and tighten up the compatibility of USER and GDI. Now, they weren't going to borrow code because that would contaminate the better code base (programmers can be very arrogant) so instead they went by the formal specification and then only "broke" the spec when it meant better compatibility with Win9x. This was when this WMF code flaw was written. The flaw was never tested because who would put code in a graphics file at that time? Besides, defective WMF files were caught by NT's structured exception handling anyways. It was also preemptive from the start so testing cooperative multitasking techniques were only done during compatibility testing and Win9x didn't have this so it wasn't tested, yet again.

    Fast forward 5-6 years and here we are. In that time, the incorrect behaviour was never encountered. It was part of the spec so any security scans of the code would have seen it as necessary in order to not break compatibility. Besides, they were far too busy fixing buffer overruns to worry about insecure by design issues.

    This whole issue is a testament to programmers arrogance and underestimation of the problem.

    That and I believe that Microsoft used a lot of intern programmers at the time. Correct code just meant it didn't crash. Interns are great but they don't necessarily have the experience of avoiding pitfalls that will come back later and bite them in the butt. Even with suprevisors, it probably wasn't common practice to review every line of code thoroughly. Even if it was policy to do so, that doesn't mean it was done.

    One got past the goalie. It happens.
  • harmlessinc, on 10/12/2007, -6/+17The people (like myself) that aren't cheering on Mr Gibson isn't due to some misplaced fandom of Microsoft. It's due to Mr.Gibson referring to himself as a security expert when all he does is post questionable material about security on his web site.

    I've never once seen a post from him on any of the security mailing lists (bugtraq, full-disclosure, etc), where other recognized security experts could discuss and debate the information he is putting out. No instead we get podcasts promoting Mr.Gibson.

    I have no problem with him bringing up the topic or his work in general (as noted SpinRite was the program back in the day), but the way in which he chooses to go about it is what calls into question his motives. This combined with the tendency to over-hype every issue he comes across means that after a while it has the "Boy who cried wolf" effect on anyone who follows computer security issues.

  • monolith, on 10/12/2007, -1/+9Steve Gibson reminds me A LOT of Richard C Hoagland... you know... the mars face guy. I don't think that Steve is a crackpot... but he kinda acts like one... despite the fact that he has done some good stuff... for example he is promoted and listened to beyond all reason and he encourages it, laps it all up. His latest IS a paranoid rant full of conjecture and alarmist double speak...
    it doesn't mean that he is wrong about the 2000/XP flaw being a planted back door...

    Just that in a confusing world people latch onto any seemingly knowable character... and have a tendency to inflate reality out of recognition... and that seems to happen with Steve, with his endorsement.

    Ugh... maybe I'm just jealous.
  • Rhinehold, on 10/12/2007, -7/+15Bogus? You realize that Spinrite was THE hard disk utility of the late 80s and 90s, right?

    You can disagree with his analysis on this issue, but calling him a fraud just causes you to lose credibility right there (as if you had any to begin with).
  • boscorelle, on 10/12/2007, -1/+7from TWiT:
    Some thoughts about Microsoft's MSRC Response
    Submitted by Steve Gibson on 14 January, 2006 - 2:23pm.

    Gang,

    I wish you guys were hanging out over in the GRC newsgroups where this topic has been enjoying a really great debate. Below are a few of my recent postings there.

    If you will carefully read the VERY well crafted Microsoft blog posting, then carefully read my thoughts about it, I think you'll see that it says less than it appears to, and that Microsoft is still working to steer the industry away from what I believe is the truth. Unfortunately, the press and other uninformed people are playing into Microsoft's hands ...

    http://www.GRC.com/groups/news.feedback:60309

    http://www.GRC.com/groups/news.feedback:60315

    http://www.GRC.com/groups/thinktank:2943

    http://www.GRC.com/groups/news.feedback:60412

    And, also, Mark Russinovich (of SysInternals, "Rootkit Revealer", etc. fame) contacted me Friday morning to ask for my source code, samples, executables, etc. He received everything he asked for and is currently working to independently analyze the situation.

    This is a GOOD thing. He will conclude that while this probably wasn't a deliberate backdoor, and while I was wrong in my initial conclusion about the metafile length as a 'secret key' (because the interaction of the Length parameter is apparently more complex than that (which I couldn't know without analyzing Microsoft's code)) he will report that this MetaFile code execution facility WAS deliberately built into Windows from NT on.

    If, additionally, he is able to use his own deep (and non-hostile) contacts inside of Microsoft to learn WHY it was put in there, we might finally learn a truth that, so far, I believe Microsoft has been working HARD to hide.

    Stay tuned!
  • Philoushka, on 10/12/2007, -9/+15All people talking smack about Gibson: this is a Rose site: all TechTV alumni are given a major 'pass' by the majority of the website visitors simply because they miss the TSS days with Rose/Foo/Laporte/Norton/Prager/Yoshi/Heron etc ad nauseum. Dare we come up with a critique of Gibson, lest we be scolded by the TechTV fans.

    Gibson is *NOT* a security specialist. Any goofball can create a podcast.

    Ask yourself this: why *doesn't* Gibson contribute to the computer security world in the most effective means? Money quote:

    "Steve Gibson often is referred to as being a "Security Expert", yet one has to see his appearances on *real* security boards/interviews/gatherings. Where was Steve Gibson at Defcon/BlackHat Conference ? Why doesn't he comment/ on Bugtraq or other Security Focus mailing lists? "
  • inactive, on 10/12/2007, -0/+5if you can write code that works as a backdoor using SetAbotProc, then it's a backdoor.
    As for Steve Gibson who cares about his stats, if you can can prove his code does not work that's
    one thing, but I bet most of you can't make this work yourself. Also windows is so big code wise there
    could be a backdoor the size of a alien mother ship in there and your never see it.
  • stalinvlad, on 10/12/2007, -2/+7To err is human
    Last security Now I was listening to he was going to write a patch for win 9x, now he writes he knew all along it was not at risk
    Also to say putting the SetAbotProc was stupid ignores the WMF idea; a giant list of GDI calls.
    But as he says Win9x/NT got it right by ignoring it yet W2000/XP seem to use a print function for displaying a graphic. This does seem to give credence to the paranoia.
    Perhaps M$ should investigate who did this code and where they work now

    Anyway ++digg
  • NtroP, on 10/12/2007, -3/+7Look, I'm not trying to be a Steve apologist or anything, but it irritates the hell out of me when I see the SUBMITTER mis-reading and mis-quoting the article. First, the change occurs AFTER windows NT. Win9.x AND NT are not vulnerable. 2K and UP are.

    Also TFA never even mentions the kernel but we have asshats who say dumb ***** like "First of all, the SetAbortProc is not a kernel fuction, so Steve Gibson loses credibility right there. (As if he had any left)." That was the retarded submitter, not Steve.

    Then we have our own "armchair security experts" who read only the erroneous summary and start making more judgments.

    This time Steve has a point. The MS blogger (this was not a press release, it was a blog - that's been MS's [non]response) points out exactly what Steve said he expected to be the case (for those of you who also didn't bother to listen to the podcast or read the transcript). He through there had been a change in behavior between NT and 2K - and this just proves it.

    Why would A) the proper behavior of ignoring the SetAbortProc been changed? and B) why would completely new behavior be introduced in which not only would SetAbortProc be no longer ignored when not printing, but instead of it returning a pointer into a device context, it would EXECUTE CODE IN THE WMF!?! It never had that behavior before. There is no situation where that behavior would ever make sense!

    Microsoft has not responded to this in any credible manner (employee blogs don't count as formal corporate communication for issues like this). I don't care if the claim is made by a crackpot or a grade-school student, if they are right, I want an answer. This time I think Steve finally has smething.

    But for Christ's sake - read the articles before you post stupid ***** that others read and then form opinions with! This is digg. Slashdot is where you aren't supposed to read the articles.
  • jeremy.heslop, on 10/12/2007, -2/+6rhineh said "Bogus? You realize that Spinrite was THE hard disk utility of the late 80s and 90s, right?

    You can disagree with his analysis on this issue, but calling him a fraud just causes you to lose credibility right there (as if you had any to begin with)."

    I actually used SpinRite on a harddrive last week and recovered some bad sectors that had crept up in the system registry. So I'd say it is still a good product for the 00's
  • damniampretty, on 10/12/2007, -0/+4Weird.
    Everyone has enemies on the net. Some people dislike google, wikipedia, even digg.

    But what is so bad about Steve Gibson? Since when is saying you suspect something is a sign that you are arrogant anyhow?

    Nonetheless, what this means is that ME has a security feature that XP doesn't have... which seems to make me laugh.
  • dynamx, on 10/12/2007, -2/+6enough is enough already

    /. and about 10 different submissions here? and all seem to make it to the homepage.
  • verucasalt, on 10/12/2007, -1/+5"Microsoft has yet to acknowledge..."

    Oh really? What do you call this http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx?
  • harmlessinc, on 10/12/2007, -5/+9"most folks simply don't understand the issues at hand."

    Funny - that's the same complaint the security field has of Mr. Gibson.
  • Lynn, on 10/12/2007, -3/+6Conspiracy theorist = Absolutely everything is proof of whatever you are claiming, including clear evidence to the contrary.
  • mehere, on 10/12/2007, -0/+3For those who complain about Gibson - please give me an alternative "security expert" who:

    1. Actively evangelizes security issues.
    2. Makes a genuine effort to help educate the "non-experts" as to what to do to secure their machines.
    3. Writes and gives away code to help you do so.

    If someone is doing a better job of informing and helping the public with computer security I want to know about it. Gibson may not be the best at security but at least he's trying to help out the masses which are the very people who need the most help.
  • FunHeadlines, on 10/12/2007, -1/+4Can't you read? Steve and Mark had a conversation during which Mark asked to see Steve's work. During that discussion Mark confirmed some of what Steve concluded, and made other corrections, assuming Mark can double-check Steve's results. If they do double-check, then, Mark evidently told Steve, this is what I will conclude based on what you reported.

    Weird seeing so much ad hominem attacks on Steve instead of focusing on the problem that exists because this code was never found in Windows despite years of security audits by Microsoft. No matter the explanation, Microsoft looks bad here. No doubt that is why so many Microsoft apologists (or maybe even shills, for all I know) have been blanketing the Web with attacks on Steve while ignoring the code.

    How about we ALL just be patient and see this get independently confirmed or denied, wait to get an OFFICIAL response from Microsoft, and then draw our final conclusions?
  • mntpng, on 10/12/2007, -2/+5I would really like to hear Ilfak Guilanov's take on this.
  • rankinreb, on 10/12/2007, -0/+3Well if you listened to the podcast, he said he found this on Wed, they recorded the podcast on Thur, and he would keep digging in it to see if he could make any more sense of it and if he found out he was wrong he would let us know next week. What more could you ask for? For those of you that hasn't heard the podcast and wants to hear it, it is mirrored here http://www.archive.org/download/SecurityNow_Episode_22_The_Windows_MetaFile_Backdoor/SecurityNow22_TheWMFBackdoor.mp3
  • drycounty, on 10/12/2007, -1/+4Christ, y'all whine too much. Steve's a good guy. As for defending calling him a hack by him not going through "credible" channels first -- WHAT credible channels? Everyone has a personal favorite security site -- Steve has his own. The fact that he doesn't correspond with twelve (or whatever many) other "experts" might just mean he's too freaking busy. I'd rather he cry wolf than not, personally.

    Go Steve!
  • stoops, on 10/12/2007, -0/+3Dude I can't believe Steve's site is down, but I do respect what Steve says about security in general, even if its theoretical stuff. I remember reading his DDoS report the last time this happened, I would have thought he wouldn't let this happen again. lol anyways, I guess we will here about this in the next Security Now!
  • verucasalt, on 10/12/2007, -2/+5"ing about an "additional step" that was LATER TAKEN OUT of Windows metafile processing, since Windows 9x/ME/NT came *before* t"

    OK... one last time, since I seem to have trouble getting through to the incredibly dense digg user. The WMF code in 9x and NT was written from scratch by two DIFFERENT teams. Nothing was added or removed from one or the other. THEY WERE DIFFERENT IMPLEMENTATIONS so of course they act differently. GOT IT?
  • codenexus, on 10/12/2007, -0/+2One thing I will say about Mr Gibson is that if he is prooved to be wrong at least he says so. Some people hate being prooved wrong and won't admit it but I have heard him admit it.
    You know its a big complex world out there and it is extremely easy to be wrong. I think it is good that someone occationally gets passionate about something. Hey and haven't we all jumped on a bandwagon a bit early sometimes and said something dumb? Well I'm not going to say either way if he has done this because I think it is too early to tell.

    All I will say is good on you Steve for at least looking at this stuff and commenting on it. So called other security experts rarely can be prooven wrong because they don't say much. The less you publicly say the less likely you can be proven wrong. Its a matter of averages.
  • CatcherInTheWhy, on 10/12/2007, -1/+3I think my biggest problem with Steve's podcast is that Leo sits there and makes comments that are just retarded. Don't get me wrong, I'm a big fan of the old ZD-TV/Tech-TV crew and watch or listen to just about every podcast or vidcast produced by Leo, Martin, Pat, and the whole gang but Leo is explicitly anti-Microsoft, to the point where he is not objective as a journalist. Though Steve does write good code, he should not make accusatory statements without first breaking the news of his "discoveries" to other security experts.

    Instead, I'm sure he was talking to Leo and Leo convinced him to break the news on "their" podcast, in order to make some headlines. A sure sign of a pseudo-scientist is not submitting work for review by educated PEERS, and the same is true of security experts: even if Gibson is very knowledgeable, his methods create pointless arguments when he allows someone like Leo to sensationalize relatively minor security holes.
  • Matt2k, on 10/12/2007, -1/+3> as I have suspected, Windows 9x/ME/NT are NOT in any way vulnerable because THEY are processing the presence

    No Steve, that is NOT the case. 9x/ME/NT ARE vulnerable, they require interaction from the user to initiate IE printing the image to the printer.

    What makes newer versions vulnerable (as I understand it) is that the Picture & Fax viewer application automatically converts the WMF to an EMF (enhanced metafile) by "printing" the WMF to an EMF. Printing in Windows is handled in a mostly device independent fashion, so "printing" to a screen can use the same code as printing to a printer.

    As I said, that's my understanding.

    There may very well be something sinister here, but I'm LESS inclined to believe it because Steve says so.

  • neofactor, on 10/12/2007, -0/+2I do not know why people are diss-ing Steve.
    He is a huge windows user... who founded... in the day... personal firewalls... as well as developing the initial anti-spyware software used today.

    If you listen to him on Security-Now posdcast he is very insightful.

    He would love to be wrong with his speculation... but to date no clear statement has been made to sufficiently counter his claims.
  • oepapel, on 10/12/2007, -0/+2"Why would A) the proper behavior of ignoring the SetAbortProc been changed? and B) why would completely new behavior be introduced in which not only would SetAbortProc be no longer ignored when not printing, but instead of it returning a pointer into a device context, it would EXECUTE CODE IN THE WMF!?! It never had that behavior before. There is no situation where that behavior would ever make sense!"

    Sure there is! If you read my previous post in this thread, I explain just how it could have happened but I'll summarize here.

    Win2000 was the "merging" OS between the Win9x and NT code paths. These two groups were quite separate before Win2K but once Win2K was announced, they needed to tighten up the relatively poor compatibility between the two OS's. The NT group then wrote the WMF code from spec because they viewed the 9x code as inferior. They screwed up their implementation but for many valid reasons it got through testing and hasn't been touched since. It didn't break compatibility and that was their primary goal, not security. It was overlooked during security reviews because it's part of the spec and MS until XP SP2 still viewed compatibility as more important than security. Besides, there were enough holes getting plugged with buffer overrun issues.

    MS isn't going to now say "Hey guys, we really dropped the ball on this one. This is really embarassing. This is not just a huge programming bug but a giant security hole. Someone was asleep at the wheel and will get fired as soon as we can find a scapegoat."

  • yongoboy, on 10/12/2007, -0/+2Steve deserves a lot of credit here. He's got the balls to put it on the line and question the inconsistencies he sees. We nee to see more risk takers than sheep.
  • Lynn, on 10/12/2007, -0/+1Also see this slashdot post:

    http://it.slashdot.org/comments.pl?sid=173878&cid=14466008

    Seems 1 is not the magic number Steve says it is.
  • 16x9, on 10/12/2007, -2/+3I thought to be fair that I should look at the website with the inflammatory name of "www.grcsucks.com" to discover why some of you have decided that Steve Gibson is the anti-Christ. And it seems that the biggest knock against him as that he doesn't post to the right websites or go to the right conventions.

    What a bunch of pompous a-holes. Get over yourselves.
  • yongoboy, on 10/12/2007, -0/+1Here's my take on Gibson: Never take for granted...question why...if you're wrong, admit it.
  • foxhoundadmin, on 10/12/2007, -0/+1good post, ntrop.

    someone else stated that we "ALL just be patient and see this get independently confirmed or denied, wait to get an OFFICIAL response from Microsoft, and then draw our final conclusions." i agree.

    and, for the last time, nt is not vulnerable. so, digitaldud, you are wrong.
  • 5blocksfree, on 10/12/2007, -1/+2@CatcherInTheRye

    >> I think my biggest problem with Steve's podcast is that Leo sits there and makes comments that are just retarded.

    I disagree...many times I've heard Leo make comments that *clarify* what Steve has said, or put it into some kind of meaningful context. Far more often than not, it's a valuable contribution to the discussion.
  • Lynn, on 10/12/2007, -2/+2"he will report that this MetaFile code execution facility WAS deliberately built into Windows from NT on."

    How does Steve know what Mark Russinovich will report? The guy just got the source code. Steve is very confused. This guy is making it worse for himself.
  • Tweekster, on 10/12/2007, -0/+0cornfused:

    well unless you are retarded, other people modding something down does not qualify as censorship
  • mmerino, on 10/12/2007, -0/+0Grc's website is down, but the news reader is still up. From there you can get the latest on his comments. news://news.grc.com. The trick is you have to set your username and password to be the same. Any username/password that matches is accepted.

    The main entries everybody's referring to are in grc.news.feedback.
  • verucasalt, on 10/12/2007, -2/+2Dude, WMF support was introduced in 1990. Yes I said 1990. Got it? Whether Windows 2000 is a higher number than 1998 is not the point.
  • harmlessinc, on 10/12/2007, -2/+2mntpng -

    How much have you heard about people who believe today that the earth is flat? Are they being silenced because they are right? Or just mistaken?
  • inactive, on 10/12/2007, -3/+3Digg has become the gathering of technical dumb asses.
  • AttroPheed, on 10/12/2007, -6/+6Maybe he just can't get over the novelty of seeing his name on all the tech news sites.
  • mateo60, on 10/12/2007, -0/+0Steve Gibson is bad ass.

    Also, Ilfak Guilanov was interviewed on Security Now recently. At the time of the recording, he wasn't sure if 9X would be affected because he didn't have a 9X machine to test on.
  • bmatherlyjr, on 10/12/2007, -0/+0point 1 - The scripting execution was diliberate; point 2 - the "backdoor" was unintentional.. so that brings me to point 3 why are we discussing this if we already know the answers?
  • requiem18th, on 10/12/2007, -1/+1It is say that one should not blame on malice what one should blame on stupidity, but we are talking about Microsoft here. The suspicion about them, if not right, at least natural.
  • codenexus, on 10/12/2007, -1/+04.79.142.200

    4. ?!?!?! unusual!!!
  • Fredx, on 10/12/2007, -1/+0o o o first time ive seen it down
  • boscorelle, on 10/12/2007, -2/+1explain this:

    "This, too, is subtle misdirection. He's talking about an "additional step" that was LATER TAKEN OUT of Windows metafile processing, since Windows 9x/ME/NT came *before* the later "vulnerable" systems."
    --Steve's Blog
  • Tearabite, on 10/12/2007, -1/+0Steve's site (GRC.COM) has been mysteriously down for the last hour.. I guess MS showed HIM !
  • inactive, on 10/12/2007, -2/+1*****, I was trying to digg the article about porn over iptv. What are you all ranting about?!?
  • oepapel, on 10/12/2007, -1/+0"BTW grc.com doesn't even ping. "

    I don't think it ever did. I think he has had ICMP closed for a while now to avoid being "pinged to death".
  • doon, on 10/12/2007, -1/+0This isn't complicated.

    Who do I trust more? Gibson or Microsoft? Hmmmm... If they wrote a decent kernel, they wouldn't have to constantly patch it. Whats' the last count on patches? Why don't they just take the time to do it right. Bigger is not better, it's only bigger. 50 million lines of code? No wonder it breaks routinely. They're lazy and fat. They need to get leaner. The shame of it is they have the talent and the bucks to do it, they just don't have the vision.

    And, by the way, what does Gibson have to gain? If the Microsoft OS worked as well as Spin-Rite, Microsoft could at least say "we do it better". They don't. Watch the Vista roll-out. The same thing is going to happen. They'll bloat it with crap they don't need and then whine "we're the standard and that's why the hackers pick on us". Baloney.
  • Fetching more discussions...
    Show 51 - 94 of 94 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.