Windows back door rumor is bunk

No reason not to patch it, however

Nothing new here

To anyone well acquainted with Windows security, hence Microsoft's insistence on ease of use whatever the cost, the idea of intentional mischief along these lines is immediately suspect. Microsoft still encourages users to run Windows as administrators, because it believes that logging in is too much trouble for the average point-and-drool civilian. It enables scores of potentially dangerous networking services by default, lest anyone struggle to enable them as needed; and its security scheme for IE - which, instead of distrusting Web content by default, forces the user to decide whose content to trust and whose not to - is essentially a means of skirting responsibility by blaming the victim for the crushing burden of malware they are carrying.

Microsoft has made a pudding of security from its earliest days, and no amount of malicious intent can possibly account for this. The company's obsession with ease of use is more than adequate to account for this and thousands of other security snafus like it.

Furthermore, the WMF flaw doesn't make for a good backdoor, assuming that one would like to target a user, or class of users. For example, IE is not in itself vulnerable; the problem comes when the system renders online WMF files with shimgvw.dll. So luring a Windows user to a malicious web site is no guarantee that they will be affected, while many others, who are not targets, might well be affected. Similarly, when sending a malicious WMF file via e-mail or IM, there is no guarantee that the intended target or targets will be vulnerable. And there are plenty of other types of malicious file that can be sent or placed on line in a similar manner, so there is no distinct advantage to using WMF. It is not a powerful back door.

Finally, Microsoft doesn't need this as a back door; it already has one: Windows Automatic Update. It's got Windows boxes phoning home without user interaction, identifying themselves, and downloading and installing code in the background. Technically speaking, it would not be difficult for the company to pervert this process subtly, and effectively, to target certain machines for malware. But naturally, there is no possibility that it ever will: its actually doing so would be detected, and proved, and the company would end up with the PR debacle of the century. So, yes, there is a back door in Windows, and no, it is not news.

Here Gibson takes his preferred route to getting the ink that he craves: technobabble and innuendo. He can't prove anything (technically, he hasn't got the chops), so he lurks in the gray area between fact and fiction, and generates torrents of fear, uncertainty, and doubt.

The FUD Olympics

Gibson has a bad track record: a history of latching onto arcane issues that he doesn't fully understand and can never prove, and converting his limited understanding into fodder for the next internet melt-down. In mid-2001, when he discovered the SOCK_RAW protocol (which had been implemented in UNIX and Linux for ages) and Microsoft's intent to implement it in Windows XP, he predicted an "XP Christmas of Death" for 2001-2002, which has yet to materialize. Nevertheless, he made such a riot over the issue for so long that Windows XP service Pack 2 disables the function. Naturally, the installed user base of XP machines in botnets remains the same, because the problem was, and is, the ease with which even the most inept script kiddie can own a Windows box. Default configurations are very loose, so there are scores of routes into most Windows systems that require very little knowledge or talent to exploit. Microsoft needs to tighten up thirty or so glaring design and configuration flaws, all right, but raw sockets is not among them.

In 2002, when he discovered SYN floods, he developed a broken gimmick that he called "GENESIS" (Gibson's ENcryption-Enhanced Spoofing Immunity System). He said it was "beautiful and perfect." In fact, it was nothing more than an inept implementation of SYNcookies, which had been developed (in a properly working form) for Linux by Dan Bernstein and Eric Schenk years earlier. Gibson denied that he had ever heard of SYNcookies, and insisted had thought up his own, broken version independently, but this is highly unlikely. Of course, that can't be proved or disproved, keeping the issue in the vague territory that Gibson so comfortably inhabits.

The WMF backdoor very much in keeping with Gibson's history of getting security matters a bit wrong, filling the gaps in his understanding with technobabble, and hyping the actual matter out of all reasonable proportion in his neverending quest of ink.

And here, much as we regret it, we've given him even more ink. We can only hope that it dispels the ridiculous rumor that Gibson has propagated, and thus will do more good than harm. ®

Related stories

More cracks appear in Windows
Security geek developing WinXP raw socket exploit
Steve Gibson invents broken SYNcookies

l

Related Links

Microsoft's WMF patches
Gibson's accusatory podcast
Rebuttal by MS's Stephen Toulouse

Sponsored: Driving business with continuous operational intelligence