Microsoft Disputes WMF Backdoor Claim

Microsoft has directly responded to accusations by security researcher Steve Gibson who claimed the company intentionally left the Windows Meta File vulnerability open as some kind of "backdoor." The company says the function in question exists due to legacy code, not some nefarious intent.

"This was not a mistake. This is not buggy code. This was put into Windows by someone," Gibson said on his podcast called Security Now. "I believe that some very clever and industrious hacker figured this out, started using it and Microsoft was caught off guard and thought: Whoops, we've got to close this backdoor down."

The resulting firestorm created by Gibson caused Microsoft security program manager Stephen Toulouse to respond to those claims on Friday.

"The long story short is that the vulnerability can be triggered with either correct or incorrect metafile record size values, there seems to have been some confusion on that point," Toulouse said.

The function "SetAbortProc" allowed for print jobs to be cancelled and is where the vulnerability resides. This code exists on every version of Windows since version 3.0, security firms have said. When this functionality was introduced, Toulouse said the security landscape differed from what it is now and metafile records were completely trusted by the operating system.

Gibson claimed that the flaw could be exploited only by using a byte size of 1 in the metafile record, which Toulouse says is incorrect. He surmised that Gibson's tests had the offending function as the last entry in the metafile, which caused only incorrect sizes to trigger the flaw.

Toulouse also explained why the company was not providing fixes for the Windows 9x platform, on which the flaw can also be exploited.

"The reason Windows 9x is not vulnerable to a "Critical" attack vector is because an additional step exists in the Win9x platform: When not printing to a printer, applications will simply never process the SetAbortProc record," he explained.

Thus, under Microsoft's "extended lifespan" support polices, the issue did not count as critical, and a patch will not be issued. Any other attack vectors determined by the company have also not met this standard, Toulouse added.

For a vulnerability to be listed as critical by Microsoft, it must refer to a code execution attack that could result in automated attacks requiring little or no user interaction.