IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User

Welcome to IWETHEY!

New Microsoft have an explanation.
And I believe it's credible.


To detail it a little bit, SetAbortProc functionality was a needed component in the graphics rendering environment for applications to register a callback to cancel printing, before even the WMF file format existed. ... Around 1990, WMF support was added to Windows 3.0 as a file-based set of drawing commands for GDI to consume. The SetAbortProc functionality, like all the other drawing commands supported by GDI, was ported over (all in assembly language at this point) by our developers to be recognized when called from a WMF. This was a different time in the security landscape and these metafile records were all completely trusted by the OS. To recap, when it was introduced, the SetAbortProc functionality served an important function.

He goes on to say that IE's WMF execution would not recognise the function class that SetAbortProc is in, but there are simple ways to trick it into running such a WMF file via another program anyway.

It looks like a case of a very old and still very useful low-level Windows function that is still around but the landscape around it has changed so much that it's causing problems.

"Insert crowbar. Apply force."
Expand Edited by static Jan. 18, 2006, 01:02:33 AM EST
New Artful Dodging
That's not why Gibson thought it was a back door. The back door part comes in when you realize that the SetAbortProc functionality only works in a WMF when you explicitly (and incorrectly) set the content size to 1.

BTW, fix your link, please.

-scott anderson

"Welcome to Rivendell, Mr. Anderson..."
New Link fixed.
Actually, I think MS and Gibson are talking past each other. This MS guy is asserting that Gibson is basically wrong to think of it as a backdoor. OTOH, Gibson seems to have found a genuine bug in the parsing of a WMF, if an incorrect length of 1 can trigger that behaviour. It'd be interesting to see his counter-response (he hasn't posted one yet).

"Insert crowbar. Apply force."
New I like how that "blog" doesn't allow comments, too.

-scott anderson

"Welcome to Rivendell, Mr. Anderson..."
New If it's brought forward from legacy stuff . . .
. . how come legacy Windows isn't vulnerable? The features enabling the vulnerability were introduced in Windows 2000 and XP.
New Dang. Beat me to it. That was my first thought.

It would seem, therefore, that the three human impulses embodied in religion are fear, conceit, and hatred. The purpose of religion, one might say, is to give an air of respectibility to these passions. -- Bertrand Russell
New No default program for WMF = No "critical" vulnerability
Chris Altmann
     Steve Gibson: "WMF flaw was a deliberate back door". - (Andrew Grygus) - (30)
         He needs to adjust his tinfoil IMHO -NT - (altmann) - (9)
             He's got a pretty good case - (bepatient) - (8)
                 Yup - (broomberg)
                 Is there more in it that what was in the transcript? - (altmann) - (3)
                     Where'd you find a transcript? - (jb4) - (2)
                         On GRC - (Another Scott)
                         Podcast is just an MP3 -NT - (drewk)
                 A guy over at SysInternals is said to be . . . - (Andrew Grygus) - (2)
                     Sysinternals verdict: Not a back door - (altmann) - (1)
                         Just stupidity and incompetence, eh? SOP for M$. -NT - (n3jja)
         Seems very unlikely to me - (JayMehaffey) - (13)
             But thats just as bad - (bepatient) - (5)
                 Do I unnderstand this right? - (drewk) - (3)
                     did $MS understand multithreading when they wrote it? -NT - (boxley)
                     It is part of that - (JayMehaffey)
                     No. - (broomberg)
                 I would say not quite as bad - (JayMehaffey)
             Microsoft have an explanation. - (static) - (6)
                 Artful Dodging - (admin) - (1)
                     Link fixed. - (static)
                 I like how that "blog" doesn't allow comments, too. -NT - (admin)
                 If it's brought forward from legacy stuff . . . - (Andrew Grygus) - (2)
                     Dang. Beat me to it. That was my first thought. -NT - (mmoffitt) - (1)
                         No default program for WMF = No "critical" vulnerability -NT - (altmann)
         Interesting "analysis" / Guess-of-motives - (Ashton) - (5)
             Shields up is a waste of time. - (pwhysall) - (4)
                 Elitist smugness - (Ashton) - (3)
                     Whatever, Ash. - (pwhysall) - (2)
                         Sorry Ash, but Peter is right here. -NT - (inthane-chan)
                         I acknowledge those valld criticisms. - (Ashton)

I miss the old days when we used to talk about chocolate.
58 ms