Home page logo

fulldisclosure logo Full Disclosure mailing list archives

e: [funsec] RE: WMF round-up, updates and de-mystification]
From: Matthew Murphy <mattmurphy () kc rr com>
Date: Tue, 03 Jan 2006 21:36:21 -0600

Hash: RIPEMD160

Peter Ferrie wrote:
In this URL you can find the best write-up I have seen on the WMF issue:
By Matthew Murphy at the "Securiteam Blogs".

And yet, he calls it a bug, which it isn't.
It's actually a feature, it has legitimate purposes, and has been present
in Windows for 15 years, and people are noticing only now just what you
can do with it.

While I'm not defending Microsoft here, since I think that it was a poor
design in the first place, let's at least get that part right.

Potato, potatoe.  But since you're telling me to "get it right", I will.
 In fact, it is a bug.

Yes, it is a feature that is (apparently) used in some instances.
However, the bug is the result of that feature.  The indexing data
administration (aka the .ida mapping) of IIS 5.0 was a feature.  The
buffer overrun vulnerability in it was a bug.

The fact that the ABORTPROC record exists in the GDI is not
(necessarily) a bug, if it has legitimate uses, as you state it does
(and I believe it might).  Though the necessity of such legitimate uses
is questionable, that's a debate for another day.

What *is* true is that the ability for *file-backed* WMF content to use
such records does not lend itself to such legitimate purposes.  IMO, the
ability for a *file format* that is deemed *safe content* (to the extent
that such a file is automatically opened when viewed) to execute
arbitrary code is a vulnerability.  That is decided.

What we have is a software vulnerability.  Software vulnerabilities are
created by two causes:

1) Software that functions according to its developer's intent.  We call
such software by varying titles depending on the scope of its malicious
activities: trojans, rootkits, spyware, etc., etc., are all *MALICIOUS
SOFTWARE* that intentionally lessens systems' security.

2) Software that functions in an unintended fashion when faced with some
unhandled circumstance (in this case, a file containing a command that
it should not, for security purposes, be able to utilize).  We call this
crappy software, which is a slightly more flattering title.

Features can be bugs and bugs can be features.  The ability for all
users on a system to update a piece of software is both a feature and a
bug.  It is a feature because of what it allows -- it is a bug because,
more likely than not, the developer did not intend to expose the system
to the dangers of trojan horse files, etc.  That is why these "features"
are typically patched out of products if they make it through the
development cycle.  The flip side is a well-known bug in a piece of
software that produces some generally useful (and harmless)
functionality when it is exploited.  Such a bug could indeed be
considered a feature, particularly if these behaviors are not accessible
through documented means.  In essence, bugs are often just undocumented,
unintended features.

A poor design choice that leads to unintended, unknown, or undocumented
consequences is more likely than not, still a bug.

But just to please you, it might be helpful to note that I document the
nature of this (as I believe it) bug in the GDI in my post.  In fact, I
document the nature of this functionality in the same paragraph where I
first use the word "bug".  Emphasis added for the purpose of discussion:

"To call the frustration I felt a Windows problem, though, is a mistake.
Indeed, the vulnerability was a Windows bug... this time around. I could
blame Microsoft for its error. Indeed, I could take advantage of this
opportunity to tear at the flesh of Microsoft?s developers for what was
I won?t, though, because to do so would be overlooking the far-broader
implications of this issue, and it would be a mistake."

Congratulations are in order for your efforts, Mr. Ferrie.  You've
prompted me to realize that the term "easter-egg" in that sentence was a
misuse of a hyphen.  Otherwise, the post stands as written.

I'm also confused by your appeal to "get it right" being made in such a
hostile fashion.  Indeed, the bug vs. feature debate is immaterial to
the discussion, and you could just as easily have commented in the blog
post, since you obviously felt it important enough to read.

I feel that I have it right, so the post content will stand.  You could
have offered me the courtesy of commenting on the post, where I could
have been receptive to your suggestion in a much less disruptive manner.
 Further, you'd have saved readers of *your own company's list* (and
those operated by Gadi and John) the need to read through an argument
they could solve for themselves with a good technical dictionary.

I hope this policy of nit-pick attacks against competing groups that
voluntarily post to Symantec's community resources is not something that
is condoned or is commonplace.  If that turns out to be the case, I may
reconsider my basis for being a regular contributor to them.

You're entitled to a dissenting opinion.  Maybe it's egotistical of me,
but I feel like I'm entitled to some level of professional courtesy, as

Matt Murphy

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • e: [funsec] RE: WMF round-up, updates and de-mystification] Matthew Murphy (Jan 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]