The head of Gibson Research, Steve Gibson, claims the WMF vulnerability (described by Microsoft as critical only in Windows 2000, XP and 64) was actually a backdoor deliberately planted by someone at Microsoft. Gibson says it could be used to gain control of a Windows system.

Gibson points to the SetAbortProc function, which is used to abort printing jobs. He says the function belongs in printer contexts, and has no business in metafile contexts. Pre-XP/2000 versions of Windows simply ignore it, while later versions allow a cracker to run his own code:

When I deliberately lied about the size of this record and set the size to one and no other value, and I gave this particular byte sequence that makes no sense for a metafile, then Windows created a thread and jumped into my code, began executing my code.

Gibson concludes: “This was not a mistake. This is not buggy code. This was put into Windows by someone.”

Microsoft responded with an interesting dissection of the reasoning behind GDI and WMF.

That restriction is the reason it’s not possible to exploit this vulnerability by simply referencing an image directly in HTML. IE just won’t process it. How then is Internet Explorer an attack vector for the vulnerability? An example of that is through the Windows Picture and Fax Viewer. That application can convert a raw WMF into a printable EMF record. During this conversion, the application will process the META_ESCAPE record. All the current exploits were aware of are based on creating an html construct using an IFRAME. At a high level, the IFRAME passes off content to the Windows shell to display. The shell looks up the registered handler for WMF which is the Windows Picture and Fax Viewer (shimgvw.dll) by default. It can run into the vulnerability when converting a raw WMF to a printable EMF if MS06-001 is not applied to the system.

As for the idea that the vulnerability can be triggered by entering an incorrect record size for the metafile… Not true, soothes Microsoft’s Stephen Toulouse. Any size will do it.

The reason that Windows 9x does not enjoy Microsoft’s Critical Risk ranking is simple: “When not printing to a printer, applications will simply never process the SetAbortProc record (without the attacker taking an additional step).”

In other words, Microsoft says Windows 9x is not at risk from “code execution attacks that could result in automated attacks requiring little or no user interaction…” at least in this case.

Gibson agrees, but sees things slightly differently:

Windows 9x/ME/NT are not in any way vulnerable because they are processing the presence of a MetaFile’s SetAbortProc function in the proper way — by ignoring it completely.

As I have said, setting a printing abort procedure is entirely nonsensical in any metafile processing. The developers of Windows 9x/ME/NT knew this, and didn’t support it.

Well. At least Gibson and Microsoft agree on something. (And just in case he’s wrong about the all clear for Windows 9x/ME/NT, Gibson promises to have more to say on that exploitability via WMF next week.)

So what’s for breakfast? How ’bout Easter eggs?

WMF Exploit: Microsoft vs Gibson, Play-by-Play:

  1. The WMF Exploit Fix Is On Its Way For Windows 98 and ME.
  2. The Windows MetaFile Backdoor?
  3. Microsoft’s response: Looking at the WMF issue, how did it get there?

Email Battles Backgrounder (supplemental):