Re: Is The .WMF Exploit A ConsPiracy Gone Bad?

[Don Kennedy <zoverlords () yahoo com>]

Comments?
   
  All I can do is express my opinion on this but it seems we agree:

If Microsoft were to have HOLES that could be used by the feds, they sure would not want them to be gracefully coded 
and or littered with signs that they have been intentionally placed where they were found for ALL to find.

This concept that the best method of "Back Door" implementation would be to use 256 Byte Keys to invoke the logic would 
do nothing but help prove INTENT, which would be the EXACT opposite of what one would wish.

Much like anything, as new methods are developed, one can afford to DROP older methods ("Especially if they become 
Public and used for motives not intended")

On that NOTE:

I find it very hard to believe that parties at Microsoft had no Idea that this BUG was present, I can believe that it 
was known, had not caused any problems, and was determined to NOT be dealt with.

As one tool in a toolbox, this flaw would have been a good one:

1. Support included in all windows platforms, in some manner.

2. It requires no scripting method of any kind to be delivered.

3. It was the LAST "Graphic Only" method to deliver a payload.

4. It had the ability to re-invoke itself simply by opening a folder.

5. Via Floppy, CD, DVD, and Download.

6. One Single Delivery Graphic, supports all delivery methods. 

Would this have been the Perfect "Holy Grail" to deliver a
payload, NO, however is sure had "STEALTH" and only lack of creativity would have not allowed someone to OWN almost any 
system they wished, combined with some social engineering of, someones Email address, or IM name.

Point is, I think this method has been being used for some time, and we will never know by whom, and how extensive its 
use was.

For many years the term "Magic Lantern" has been used about something that actually this would fit very well.

The "Magic Lantern" is and was an urban myth on how the Feds had some secret methods to gain access to Windows based 
systems in a very simple manner, and no SOLID evidence was ever produced as to what methods "Magic Lantern" used.

To date, based on all the myths I have read and heard about, this exploit seems to fit most of the suggested abilities 
of how "Magic Lantern" could gain access to specific systems.

Did "Magic Lantern" really exist? 

Not sure we will ever know. Could this in fact have been part or all of how "Magic Lantern" was able to gain access to 
specific Windows based systems when needed? 

Not sure we will ever know.

If I was a betting man, I would say, with or without the help of Microsoft that this exploit has been used in the past 
by the Feds to some extent, not saying on a MASSIVE scale, but more on a "From Time To Time basis".

What I find more interesting than anything in this adventure so far is that this statement from Microsoft:

Quote:

"With WMF we want to be very clear: the Windows 9x platform is not vulnerable to any "Critical" attack vector. 

The reason Windows 9x is not vulnerable to a "Critical" attack vector is because an additional step exists in the Win9x 
platform: When not printing to a printer, applications will simply never process the SetAbortProc record. 

Although the vulnerable code does exist in the Win9x platform, all "Critical" attack vectors are blocked by this 
additional step."

From:
http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx

So a Question Arises?

Was the Win98 platform PATCHED to defeat the logic that does allow this execution of code in future platforms for this 
exploit?

OR.............

Were Future Platforms PATCHED to allow the logic that does allow this execution of code for this exploit?

The Only thing I am SURE of is we will never know. 

If this was part of "Magic Lantern" and retired because it finally fell into the public domain, what methods, if any, 
took its place?

The Only thing I am SURE of is we will NEVER know.


                
---------------------------------
Yahoo! Photos – Showcase holiday pictures in hardcover
 Photo Books. You design it and we’ll bind it!

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.