Re: [Fsfe-uk] Windows WMF exploit intentional?

[Chris Croughton]

On Sat, Jan 14, 2006 at 09:28:08PM +0000, Kevin Donnelly wrote:
> On Saturday 14 January 2006 20:20, Chris Croughton wrote:
> > On Sat, Jan 14, 2006 at 04:09:07PM +0000, Kevin Donnelly wrote:
> > > Steve Gibson is speculating that the recent Microsoft Windows WMF bug was
> > > intentionally put in the code by someone at Microsoft as a back-door:
> > > http://www.grc.com/sn/SN-022.htm
> > > I have no idea how well-founded his speculation is,
> >
> > Not at all from what I've heard, it was put in as a way to close down
> > printing in the middle of a job because MSDOS (and Windows on top of it)
> > weren't intelligent enough.  Yes, it was a "back door" of a sort, but so
> > was almost everything in those days.
> 
> Hmm.  His take is that there is simply no reason for that printabort to be 
> included in a WMF, and the odd behaviour is only triggered when you send a 
> *specific* unexpected value to it.  I

Well, most of the vunerabilities are only there when sent specific
unexpected values.  As I've heard it described there was originally a
good reason to have the "call into WMF" callback-like feature, and it
was more that no one thought to take it out (or they didn't know whether
someone was still using it so they left it).

"Never attribute to malice that which can be explained by stupidity..."

(And I'm a paranoid saying that <g>...)

> > > but it has him saying that an operating system whose source is open
> > > would allow users to check that there is nothing untoward in the code
> > > ....
> >
> > Users?  No chance at all.  Users wouldn't know a back door if it shut in
> > their face.  Other programmers?  Possibly, if they bothered to search it
> > that far, but you only have to look at how many vunerabilities are still
> > slipping through open software to see that merely being open doesn't
> > mean that programmers will find the holes.
> 
> Programmers are users too, of course.  I think his point is that it is easier 
> to identify the vulnerabilities, rather than suggesting that there will be 
> none.

But the vast majority of programmers have their own jobs to do, rather
which is why they just use other code.  And how many Unix programmers
would know enough about Windows (or be interested in looking at it) for
instance to find the backdoor and realise that it was open?  Even the
people who hunt through Windows to find 'interesting' things hadn't
noticed it.

Note that Windows source code, with that vunerability, has been out for
a long time.  Not officially, but I remember at least two versions which
'escaped'.

> > Yes, being open has some advantages, and more people /can/ look at it,
> > but who has the time?  How many Linux users have looked at any of the
> > kernel source code at all, let alone the applications?
> 
> Very few, I'd have thought.  But it's nice to know I could do if the mood 
> were 
> ever to take me ...

Well, yes.  The thing which open source can give is faster patches,
because people can test and install their own (whether they will make
the system more or less stable, of course, is another matter, how well
do you trust a patch from someone you've never heard of before?).  I
certainly don't have the time to look at any sizable part of an OS these
days, or even a noticable fraction of an application unless it's one I'm
writing.  Unfortunately; I have the desire but not the time...

Chris C