Did Microsoft deliberately RootKit everyones computer to allow spying by the NSA, CIA and FBI ? Steve Gibson explores the WMF vulnerability

January 13, 2006


Thanks to securitynewsportal.com

The story as we understand it so far is this : Steve Gibson was curious about why Microsoft was not releasing a patch for the earlier versions of Windows to remedy the WMF vulnerability. MS had stated in their Technical Bulletin that they saw no need to patch the older Windows operating system because the WMF 'vulnerability' didn't affect those OS's. Steve wanted to check this out and did a little research on the patch issued by MS, visited the hacker web sites that explained how to exploit the vulnerability and with a few test machines configured with the older OS's he found that he could not find a way to trigger the vulnerability. At this point his findings agreed with MS. .

On further examination of the recent versions of the Microsoft operating systems, Steve found that there was a function call in the Microsoft code that had absolutely nothing to do with the graphics. It in fact was more closely related to a function call for stopping a printing job. On even closer examination it was found that by submitting the digit of " 1 " to this function call you were able to a remote code execution - better known as a 'backdoor'.

Steve is playing down any direct accusations at whether Microsoft had intentionally put this 'backdoor' into all the latter versions of the Microsoft operating systems. Theories from begun to surface from some security pundits that suggest Microsoft may have 'deliberately' placed this backdoor in their code as a means of allowing the NSA, CIA or FBI or just about any law enforcement agency to gain full access to ANY computer on the Internet running these latter versions of the Microsoft operating system.

Also being suggested by some pundits is the theory that one of the Microsoft 'code serfs' may have planted this code for purely innocent purposes during the code development stages ( and it simply was forgotten about ) or that it was put in there deliberately by one of the MS code slaves for a more malicious purpose.

Either way... Steve has now opened a tempest of questions that will now need to be resolved. You can't simply raise the spectre of global spying and hidden rootkits planted by Microsoft without either proving or disproving the allegation. If you cannot trust Microsoft than what can you do? And if there was 'one' hidden rootkit than what is there to say that there is not a 'second' or 'third' fail safe hidden rootkit - as a safeguard should one be discovered or exposed? With the recently revealed 'deliberately installed rootkits' found in Sony DVD products, and now the latest allegations that Symantec and Kaspersky have also been planting rootkits in their products, it leaves you to wonder if this is all just a little too coincidental..

Steve has always been a bit of an alarmist and sometimes he has been accused of being a little theatrical in his self-promotion, but ultimately he has always had the 'good' of the community in mind. So I do suspect that there may be some 'smoke' here that indicates he has stumbled on a potential fire. Only with a thorough investigation will anyone be able to solve exactly what the nature of this 'suspicious code' really was and for what reason it was placed there. The fact is that the 'strange code' did exist and MS had to patch it quickly once it was exposed by security researchers and was being openly exploited by malicious parties. I would humbly submit to you that if Microsoft actively engaged in the planting of 'rootkits' in their recent operating systems then this could be the biggest and most significant news story ever in the computer scene and it will have global ramifications for MS. Then again... Steve G may have found a high profile way to 'cry wolf' and generate subscriptions to his 'SecurityNow pod cast'... at which point he needs to be exposed...

main page ATTRITION feedback