'Windows backdoor' theory causes kerfuffle

Postings are flying fast and thick in the security community over a researcher's suggestion that Microsoft hid sneaky code in Windows.

The recent security problem regarding the rendering of Windows Meta File images was so bizarre that it has to be an intentional backdoor in the operating system, Steve Gibson said in a podcast posted Thursday.

He said he can find no other explanation for the existence of the WMF rendering problem, and no reason for the ability in Windows to use such image files to execute computer code.

"This was not a mistake. This is not buggy code. This was put into Windows by someone," Gibson said on the Security Now podcast. "I believe that some very clever and industrious hacker figured this out, started using it and Microsoft was caught off guard and thought: Whoops, we've got to close this backdoor down."

A backdoor is a method of bypassing normal authentication to gain access to a computer unbeknownst to the PC user..

Gibson suggests that Microsoft could use the WMF issue to access PCs that visit its Web site. "If Microsoft was worried that for some reason in the future they might have cause to get visitors to their Web site to execute code, even if ActiveX is turned off, even if security is up full, even if firewalls are on ... they have had that ability, and this code gave it to them."

Microsoft and independent security experts have said that the WMF problem was unlike a typical flaw, such as a buffer overflow, that hackers can take advantage of and run code. Instead, the issue lies in a software feature being used in an unintended way.

But Gibson appears to be alone in his thinking that the WMF issue is a backdoor deliberately created by Microsoft.

"It is definitely a stretch to call this a backdoor," said Marc Maiffret, chief hacking officer at eEye Digital Security. "Every security flaw ever found in Windows could have been a backdoor, and we would never have known. I think it's a bit 'tin foil hat' to try to say they are backdoors."

Michael Sutton, director at security intelligence company iDefense, a part of VeriSign, also doesnÂ’t buy Gibson's theory. "Microsoft has far too much at stake to do such a thing," he said. "It also wouldn't be a logical place to install a backdoor. Utilizing it would require user interaction. There are better ways to install a backdoor."

Microsoft has had cases in the past where undocumented interfaces were used by Windows applications as "backdoors," said Neil MacDonald, a Gartner analyst. But the WMF issue is probably not of them, he said.

"Unless someone can show a Microsoft application--Windows, Office or otherwise--that uses this feature to run code, I believe the explanation that Microsoft provided made sense. The WMF format was designed in an era when processing images on PCs was slow, and so the format included the ability to insert custom abort processing code."

WMF files were introduced with Windows 3.0 in early 1990, an era when security wasn't a priority, security experts have said.

"This feature should have been identified as a security risk long ago by Microsoft proactively and removed, but it escaped Microsoft's Security Development Life Cycle until it was discovered by hackers," MacDonald said.

Microsoft last week rushed out a critical update for the WMF problem. The software maker also said it would scour its code to look for similar flaws and update its development practices to prevent similar problems in future products.

Gibson , who has come under harsh criticism on Slashdot, a news comment Web site, isnÂ’t surprised that people call him a conspiracy theorist or even paranoid.

"I completely understand them," he said in an interview. "We will never have proof one way or the other because we will never know for sure what Microsoft's intentions were."

Close
Drag