IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Patent Wars and Antitrust Forum / Microsoft have an explanation.
Post #241,590
by static
Picture of static
1/16/06 10:56:52 PM
1/18/06 1:02:33 AM
Reply
New Microsoft have an explanation.
And I believe it's credible.

[link|http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx|http://blogs.technet...01/13/417431.aspx]

To detail it a little bit, SetAbortProc functionality was a needed component in the graphics rendering environment for applications to register a callback to cancel printing, before even the WMF file format existed. ... Around 1990, WMF support was added to Windows 3.0 as a file-based set of drawing commands for GDI to consume. The SetAbortProc functionality, like all the other drawing commands supported by GDI, was ported over (all in assembly language at this point) by our developers to be recognized when called from a WMF. This was a different time in the security landscape and these metafile records were all completely trusted by the OS. To recap, when it was introduced, the SetAbortProc functionality served an important function.


He goes on to say that IE's WMF execution would not recognise the function class that SetAbortProc is in, but there are simple ways to trick it into running such a WMF file via another program anyway.

It looks like a case of a very old and still very useful low-level Windows function that is still around but the landscape around it has changed so much that it's causing problems.

Wade.
"Insert crowbar. Apply force."
Expand Edited by static Jan. 18, 2006, 01:02:33 AM EST
Expand All History
Post #241,593
by admin
Picture of admin
1/16/06 11:01:16 PM
Reply
New Artful Dodging
That's not why Gibson thought it was a back door. The back door part comes in when you realize that the SetAbortProc functionality only works in a WMF when you explicitly (and incorrectly) set the content size to 1.

BTW, fix your link, please.
Regards,

-scott anderson

"Welcome to Rivendell, Mr. Anderson..."
Post #241,713
by static
Picture of static
1/18/06 1:08:26 AM
Reply
New Link fixed.
Actually, I think MS and Gibson are talking past each other. This MS guy is asserting that Gibson is basically wrong to think of it as a backdoor. OTOH, Gibson seems to have found a genuine bug in the parsing of a WMF, if an incorrect length of 1 can trigger that behaviour. It'd be interesting to see his counter-response (he hasn't posted one yet).

Wade.
"Insert crowbar. Apply force."
Post #241,594
by admin
Picture of admin
1/16/06 11:02:31 PM
Reply
New I like how that "blog" doesn't allow comments, too.
Regards,

-scott anderson

"Welcome to Rivendell, Mr. Anderson..."
Post #241,602
by Andrew Grygus
Picture of Andrew Grygus
1/17/06 2:41:55 AM
Reply
New If it's brought forward from legacy stuff . . .
. . how come legacy Windows isn't vulnerable? The features enabling the vulnerability were introduced in Windows 2000 and XP.
[link|http://www.aaxnet.com|AAx]
Post #241,637
by mmoffitt
1/17/06 11:03:40 AM
Reply
New Dang. Beat me to it. That was my first thought.
bcnu,
Mikem

It would seem, therefore, that the three human impulses embodied in religion are fear, conceit, and hatred. The purpose of religion, one might say, is to give an air of respectibility to these passions. -- Bertrand Russell
Post #241,675
by altmann
1/17/06 8:29:52 PM
Reply
New No default program for WMF = No "critical" vulnerability
--
Chris Altmann
     Steve Gibson: "WMF flaw was a deliberate back door". - (Andrew Grygus) - (30) - Jan. 13, 2006, 07:13:31 PM EST
         He needs to adjust his tinfoil IMHO -NT - (altmann) - (9) - Jan. 13, 2006, 08:24:32 PM EST
             He's got a pretty good case - (bepatient) - (8) - Jan. 13, 2006, 09:28:28 PM EST
                 Yup - (broomberg) - Jan. 13, 2006, 09:46:45 PM EST
                 Is there more in it that what was in the transcript? - (altmann) - (3) - Jan. 14, 2006, 03:33:27 AM EST
                     Where'd you find a transcript? - (jb4) - (2) - Jan. 15, 2006, 12:56:46 PM EST
                         On GRC - (Another Scott) - Jan. 15, 2006, 01:00:50 PM EST
                         Podcast is just an MP3 -NT - (drewk) - Jan. 15, 2006, 08:56:10 PM EST
                 A guy over at SysInternals is said to be . . . - (Andrew Grygus) - (2) - Jan. 14, 2006, 08:05:11 PM EST
                     Sysinternals verdict: Not a back door - (altmann) - (1) - Jan. 21, 2006, 04:21:27 AM EST
                         Just stupidity and incompetence, eh? SOP for M$. -NT - (n3jja) - Jan. 21, 2006, 08:31:13 AM EST
         Seems very unlikely to me - (JayMehaffey) - (13) - Jan. 16, 2006, 03:18:21 PM EST
             But thats just as bad - (bepatient) - (5) - Jan. 16, 2006, 04:07:08 PM EST
                 Do I unnderstand this right? - (drewk) - (3) - Jan. 16, 2006, 05:03:27 PM EST
                     did $MS understand multithreading when they wrote it? -NT - (boxley) - Jan. 16, 2006, 05:17:35 PM EST
                     It is part of that - (JayMehaffey) - Jan. 16, 2006, 06:38:38 PM EST
                     No. - (broomberg) - Jan. 16, 2006, 09:08:08 PM EST
                 I would say not quite as bad - (JayMehaffey) - Jan. 16, 2006, 06:43:55 PM EST
             Microsoft have an explanation. - (static) - (6) - Jan. 18, 2006, 01:02:33 AM EST
                 Artful Dodging - (admin) - (1) - Jan. 16, 2006, 11:01:16 PM EST
                     Link fixed. - (static) - Jan. 18, 2006, 01:08:26 AM EST
                 I like how that "blog" doesn't allow comments, too. -NT - (admin) - Jan. 16, 2006, 11:02:31 PM EST
                 If it's brought forward from legacy stuff . . . - (Andrew Grygus) - (2) - Jan. 17, 2006, 02:41:55 AM EST
                     Dang. Beat me to it. That was my first thought. -NT - (mmoffitt) - (1) - Jan. 17, 2006, 11:03:40 AM EST
                         No default program for WMF = No "critical" vulnerability -NT - (altmann) - Jan. 17, 2006, 08:29:52 PM EST
         Interesting "analysis" / Guess-of-motives - (Ashton) - (5) - Jan. 21, 2006, 06:42:09 AM EST
             Shields up is a waste of time. - (pwhysall) - (4) - Jan. 21, 2006, 11:24:14 AM EST
                 Elitist smugness - (Ashton) - (3) - Jan. 29, 2006, 06:10:34 AM EST
                     Whatever, Ash. - (pwhysall) - (2) - Jan. 29, 2006, 07:52:18 AM EST
                         Sorry Ash, but Peter is right here. -NT - (inthane-chan) - Jan. 29, 2006, 10:43:04 AM EST
                         I acknowledge those valld criticisms. - (Ashton) - Jan. 30, 2006, 05:35:00 AM EST

Shown here is a tranquil scene in the north woods. A beaver has just completed its dam, two black bears forage for food, a swallow-tailed butterfly flutters in the foreground, a loon swims quietly by, and a kingfisher searches for a tasty fish.
82 ms