Re: [Fsfe-uk] Windows WMF exploit intentional?

[Kevin Donnelly]

On Saturday 14 January 2006 20:20, Chris Croughton wrote:
> On Sat, Jan 14, 2006 at 04:09:07PM +0000, Kevin Donnelly wrote:
> > Steve Gibson is speculating that the recent Microsoft Windows WMF bug was
> > intentionally put in the code by someone at Microsoft as a back-door:
> > http://www.grc.com/sn/SN-022.htm
> > I have no idea how well-founded his speculation is,
>
> Not at all from what I've heard, it was put in as a way to close down
> printing in the middle of a job because MSDOS (and Windows on top of it)
> weren't intelligent enough.  Yes, it was a "back door" of a sort, but so
> was almost everything in those days.

Hmm.  His take is that there is simply no reason for that printabort to be 
included in a WMF, and the odd behaviour is only triggered when you send a 
*specific* unexpected value to it.  I

> > but it has him saying that an operating system whose source is open
> > would allow users to check that there is nothing untoward in the code
> > ....
>
> Users?  No chance at all.  Users wouldn't know a back door if it shut in
> their face.  Other programmers?  Possibly, if they bothered to search it
> that far, but you only have to look at how many vunerabilities are still
> slipping through open software to see that merely being open doesn't
> mean that programmers will find the holes.

Programmers are users too, of course.  I think his point is that it is easier 
to identify the vulnerabilities, rather than suggesting that there will be 
none.

> Yes, being open has some advantages, and more people /can/ look at it,
> but who has the time?  How many Linux users have looked at any of the
> kernel source code at all, let alone the applications?

Very few, I'd have thought.  But it's nice to know I could do if the mood were 
ever to take me ...

-- 

Pob hwyl / Best wishes

Kevin Donnelly

www.kyfieithu.co.uk - KDE yn Gymraeg
www.rhedadur.org.uk - Rhedeg berfau Cymraeg
www.cymrux.org.uk - Linux Cymraeg ar un CD