RE: Is The .WMF Exploit A ConsPiracy Gone Bad?

["Blanchard, Michael (InfoSec)" <Blanchard_Michael () emc com>]

heheh....  I love a conspiracy theory as much as the next guy, maybe more.  But, sometimes a bug is simply that, a bug. 
 Bugs in code have been know to do strange things, at strange times, in strange ways, heck I've even had one or two 
bugs in my code....  I think the code was carried over, just because it worked, and Microsoft didn't really want to 
re-code the entire deal and figured they'd just carry over the code....
 
 
Mike B
 
Michael P. Blanchard 
Antivirus / Security Engineer, CISSP, GCIH, MCSE, MCP+I 
Office of Information Security & Risk Management 
EMC ² Corporation 
4400 Computer Dr. 
Westboro, MA 01580 
email:  Blanchard_Michael () EMC COM 
 

________________________________

From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Don Kennedy
Sent: Friday, January 13, 2006 8:38 AM
To: funsec () linuxbox org
Subject: [funsec] Is The .WMF Exploit A ConsPiracy Gone Bad?


Here is my take on this. 

1. This Auto-Magical self-install Microsoft patch for this is an urban legend. 

2. That with enough investigation, by the right parties, it can or will be proven that Microsoft has created this for 
the FEDS! much like some PRINTERS have embedded serial numbers in their image output ("Which we also did not know about 
at first"). 

3. IF this causes a full blown extensive investigation, and the TRUTH is allowed to come out, I think the outrage will 
be something not seen in this country ever before. 

4. This ("Back Door") can/could be invoked via Email, HTML email, or via an email attachment, or even an IMAGE in a IM 
session, such as for example in Yahoo Messenger, where one is allowed to have a PHOTO of yourself ("A Drive-By Method 
of Installation") so when it was said in the Pod Cast that there would be a requirement to VISIT a web site this is not 
true. 

If the proper investigation is done about this, IMHO, I t! hink it can EASILY be proven that Federal Agencies have in 
fact USED this method ("A few MORE current and in-place back doors will be publicly admitted too as well") with and 
without the required paperwork, and that Microsoft actually provided instructions as to the use of these back doors to 
said agencies. 

It CANNOT be accidental the the WRONG VALUE invokes code, which has NO way to communicate ("Easily") with the source 
that launched it, accidentally ("Note: while it also is being listed in Microsoft Documentation as LEGACY code") is 
carried even to Windows Vista. Even if somehow like in DNA, this was a one-in-ten-billion accident, it does NOT explain 
why this documented LEGACY code was carried over to Windows Vista, and MORE importantly this: 

That WHEN Microsoft REMOVED this FUNCTIONALITY COMPLETELY from the Operating System, no Microsoft Product or 
application, no 3rd party code or application, no major client's or customers were impacted in ANY! way! 

If the INTENT of the SETABORTPROC parameter using the Escape procedure WAS to help with Printer failure logic? Where's 
the PAPER JAM? 

So, is this the LEAST used LEGACY function accidentally carried from OS to OS since Windows 2000 which happens to be 
capable to LAUNCH and execute code remotely using ONLY the WRONG pa-rams ("Oh by the way, only if the WRONG value 
equals ONE, any other WRONG value, won't work") and the executed code within the wmf file cannot access ("easily") its 
own CONTEXT ("No need for that if the purpose is to deliver a stand-alone payload")? 

The question then becomes, IF IT WAS SO IMPORTANT TO CARRY THIS LEGACY CODE EVEN TO WINDOWS VISTA.......... 


WHO WAS USING IT? ;-)
 
More Here: http://testing.onlytherightanswers.com/modules.php?name=News&file=article&sid=36

________________________________

Yahoo! Photos
Ring in the New Year with Photo Calendars 
<http://us.rd.yahoo.com/mail_us/taglines/photos/*http://pa.yahoo.com/*http://us.rd.yahoo.com/mail_us/taglines/photos/evt=38087/*http://pg.photos.yahoo.com/ph//page?.file=calendar_splash.html&.dir=>
 . Add photos, events, holidays, whatever.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.