Feeds

Windows back door rumor is bunk

No reason not to patch it, however

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Nothing new here

To anyone well acquainted with Windows security, hence Microsoft's insistence on ease of use whatever the cost, the idea of intentional mischief along these lines is immediately suspect. Microsoft still encourages users to run Windows as administrators, because it believes that logging in is too much trouble for the average point-and-drool civilian. It enables scores of potentially dangerous networking services by default, lest anyone struggle to enable them as needed; and its security scheme for IE - which, instead of distrusting Web content by default, forces the user to decide whose content to trust and whose not to - is essentially a means of skirting responsibility by blaming the victim for the crushing burden of malware they are carrying.

Microsoft has made a pudding of security from its earliest days, and no amount of malicious intent can possibly account for this. The company's obsession with ease of use is more than adequate to account for this and thousands of other security snafus like it.

Furthermore, the WMF flaw doesn't make for a good backdoor, assuming that one would like to target a user, or class of users. For example, IE is not in itself vulnerable; the problem comes when the system renders online WMF files with shimgvw.dll. So luring a Windows user to a malicious web site is no guarantee that they will be affected, while many others, who are not targets, might well be affected. Similarly, when sending a malicious WMF file via e-mail or IM, there is no guarantee that the intended target or targets will be vulnerable. And there are plenty of other types of malicious file that can be sent or placed on line in a similar manner, so there is no distinct advantage to using WMF. It is not a powerful back door.

Finally, Microsoft doesn't need this as a back door; it already has one: Windows Automatic Update. It's got Windows boxes phoning home without user interaction, identifying themselves, and downloading and installing code in the background. Technically speaking, it would not be difficult for the company to pervert this process subtly, and effectively, to target certain machines for malware. But naturally, there is no possibility that it ever will: its actually doing so would be detected, and proved, and the company would end up with the PR debacle of the century. So, yes, there is a back door in Windows, and no, it is not news.

Here Gibson takes his preferred route to getting the ink that he craves: technobabble and innuendo. He can't prove anything (technically, he hasn't got the chops), so he lurks in the gray area between fact and fiction, and generates torrents of fear, uncertainty, and doubt.

The FUD Olympics

Gibson has a bad track record: a history of latching onto arcane issues that he doesn't fully understand and can never prove, and converting his limited understanding into fodder for the next internet melt-down. In mid-2001, when he discovered the SOCK_RAW protocol (which had been implemented in UNIX and Linux for ages) and Microsoft's intent to implement it in Windows XP, he predicted an "XP Christmas of Death" for 2001-2002, which has yet to materialize. Nevertheless, he made such a riot over the issue for so long that Windows XP service Pack 2 disables the function. Naturally, the installed user base of XP machines in botnets remains the same, because the problem was, and is, the ease with which even the most inept script kiddie can own a Windows box. Default configurations are very loose, so there are scores of routes into most Windows systems that require very little knowledge or talent to exploit. Microsoft needs to tighten up thirty or so glaring design and configuration flaws, all right, but raw sockets is not among them.

In 2002, when he discovered SYN floods, he developed a broken gimmick that he called "GENESIS" (Gibson's ENcryption-Enhanced Spoofing Immunity System). He said it was "beautiful and perfect." In fact, it was nothing more than an inept implementation of SYNcookies, which had been developed (in a properly working form) for Linux by Dan Bernstein and Eric Schenk years earlier. Gibson denied that he had ever heard of SYNcookies, and insisted had thought up his own, broken version independently, but this is highly unlikely. Of course, that can't be proved or disproved, keeping the issue in the vague territory that Gibson so comfortably inhabits.

The WMF backdoor very much in keeping with Gibson's history of getting security matters a bit wrong, filling the gaps in his understanding with technobabble, and hyping the actual matter out of all reasonable proportion in his neverending quest of ink.

And here, much as we regret it, we've given him even more ink. We can only hope that it dispels the ridiculous rumor that Gibson has propagated, and thus will do more good than harm. ®

Related stories

More cracks appear in Windows
Security geek developing WinXP raw socket exploit
Steve Gibson invents broken SYNcookies

l

Related Links

Microsoft's WMF patches
Gibson's accusatory podcast
Rebuttal by MS's Stephen Toulouse

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
Apple grapple: Congress kills FBI's Cupertino crypto kybosh plan
Encryption would lead us all into a 'dark place', claim G-Men
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.