Friday, January 20, 2006

Microsoft's Backdoor Spin

It turns out that Microsoft is putting a lot of 'spin' on its WMF vulnerability/backdoor. Firstly, they claim that Windows 9x is still vulnerable, when it isn't. Then they claim that Windows 9x contains "extra" security, which it doesn't. Finally, they won't patch Windows NT, even though it is still used on many file servers around the world.
Also, since when do any programmers provide for the ability to mix executable code and data without documenting it? The only company I can think of that happily mixes code and data is Microsoft: Word, Excel, (Outlook) and Access all provide for application code in the data file, and this has been responsible for a zillion macro-based viruses.
Then Microsoft have the cheek to balk at the term "backdoor". But it IS a back door: undocumented functionality that allows for arbitrary code execution from a data file that can be exploited by anyone who knows about it. It quacks like a duck.
However, before anyone interprets this as saying it was malicious, bear in mind what Napoleon said: "Never ascribe to malice that which can be explained by incompetence." This is a classic example.

Steve Gibson's Findings | digg story

No comments: