Postings are flying fast and thick in the security community over a researcher's suggestion that Microsoft hid sneaky code in Windows.
The recent security problem regarding the rendering of WMF images was so bizarre that it has to be an intentional backdoor in the operating system, security researcher Steve Gibson said in a podcast posted Thursday.
He said he can find no other explanation for the existence of the WMF rendering problem, and no reason for the ability in Windows to use such image files to execute computer code.
"This was not a mistake. This is not buggy code. This was put into Windows by someone," Gibson said on the Security Now podcast. "I believe that some very clever and industrious hacker figured this out, started using it and Microsoft was caught off guard and thought: Whoops, we've got to close this backdoor down."
A backdoor is a method of bypassing normal authentication to gain access to a computer unbeknownst to the PC user..
Gibson suggests that Microsoft could use the WMF issue to access PCs that visit its Web site. "If Microsoft was worried that for some reason in the future they might have cause to get visitors to their Web site to execute code, even if ActiveX is turned off, even if security is up full, even if firewalls are on... they have had that ability, and this code gave it to them."
Microsoft and independent security experts have said that the WMF problem was unlike a typical flaw, such as a buffer overflow, that hackers can take advantage of and run code. Instead, the issue lies in a software feature being used in an unintended way.
But Gibson appears to be alone in his thinking that the WMF issue is a backdoor deliberately created by Microsoft.
"It is definitely a stretch to call this a backdoor," said Marc Maiffret, chief hacking officer at eEye Digital Security. "Every security flaw ever found in Windows could have been a backdoor, and we would never have known. I think it's a bit 'tin foil hat' to try to say they are backdoors."
Michael Sutton, director at security intelligence company iDefense, a part of VeriSign, also doesn't buy Gibson's theory. "Microsoft has far too much at stake to do such a thing," he said. "It also wouldn't be a logical place to install a backdoor. Utilising it would require user interaction. There are better ways to install a backdoor."
Microsoft has had cases in the past where undocumented interfaces were used by Windows applications as "backdoors," said Neil MacDonald, a Gartner analyst. But the WMF issue is probably not of them, he said.
"Unless someone can show a Microsoft application — Windows, Office or otherwise — that uses this feature to run code, I believe the explanation that Microsoft provided made sense. The WMF format was designed in an era when processing images on PCs was slow, and so the format included the ability to insert custom abort processing code."
WMF files were introduced with Windows 3.0 in early 1990, an era when security wasn't a priority, security experts have said.
"This feature should have been identified as a security risk long ago by Microsoft proactively and removed, but it escaped Microsoft's Security Development Life Cycle until it was discovered by hackers," MacDonald said.
Microsoft last week rushed out a critical update for the WMF problem. The software maker also said it would scour its code to look for similar flaws and update its development practices to prevent similar problems in future products.
Gibson , who has come under harsh criticism on Slashdot, isn't surprised that people call him a conspiracy theorist or even paranoid.
"I completely understand them," he said in an interview. "We will never have proof one way or the other because we will never know for sure what Microsoft's intentions were."
Talkback
You can be sure. I have turned off automatic updating on my XP professional. I have disabled windows messenger and *all* other MS related communications software. I have left only the most essential services running on my OS and yet it *still* attempts to contact Microsoft every single time I connect to the net. I use Kapersky anti-hacker and I have blocked the application svchost.exe from communicating through *any* ports and the result is a notification like this .... http://img.villagephotos.com/p/2005-2/959041/MS_malice.jpg ... every single time I connect to the net. If nothing it is proof positive that Microsoft is going to great lengths to maintain 'connections' to their OS. Trace the IP that shows in the above image and you will see it is Microsofts. Block your svchost.exe and you will see for yourselves. We pay for something but we don't actually own it and I don't see why they should continue to get away with it. The OS costs a fortune - we payfor it and it ought to be ours.
Firstly, I do not believe that you own your OS. You simply have obtained a license to use an OS. This is an important distinction. If we truly owned our OS, we could trade and sell it to others. This is legally unacceptable since Microsoft owns your OS.
Secondly, terminating your contact with Microsoft or any OS manufacturer is plain stupid. It may even violate your license. Why?
Because you may jeopardize other licensed users by having inadequate security updates.
Regardless, you are hampering a licensed partrner to provide anmy necessary support and this is unwise.