Microsoft denies deliberate WMF backdoor

The zero-day Windows Metafile (WMF) vulnerability has already received a great deal of coverage and debate but the affair has got messier still with a security researcher alleging that the flaw was deliberately introduced by Microsoft to provide a backdoor for the software giant to upload code onto users’ machines.

According to the researcher, Steve Gibson:

“If Microsoft was worried that for some reason in the future they might have cause to get visitors to their website to execute code, even if ActiveX is turned off, even if security is up full, even if firewalls are on, basically if Microsoft wanted a short circuit, a means to get code run in a Windows machine by visiting their website, they have had that ability, and this code gave it to them”

Gibson goes on to give a detailed explanation for his theory, which can be found here, and his comments have received a good deal of attention.

The WMF flaw, which concerns the way that Windows handles images, caused IT managers a serious headache over the New Year period, with Trojans actively exploiting the vulnerability before Microsoft was able to rush out a patch on 5th January, breaking the company’s monthly patch cycle in the process.

However, Stephen Toulouse, a security program manager with Microsoft’s security response center, has refuted Gibson’s claims. Writing in an official corporate Microsoft blog on Friday, Toulouse has given a detailed response to the allegations and points out that when WMF support was added to Windows 3.0 around 1990 the security landscape was very different.

For once, however, opinion appears to be on Microsoft’s side, and ironically its Microsoft’s shady past record on security that looks to have helped dig it out of this hole. The company has been responsible for a number of security clangers in the past so what is one more to add to the list?

Backdoors appeal to the conspiracy theorists out there but just like with previous allegations, for example accusations that the US National Security Agency had a backdoor into Windows, this theory seems to be just one leap too far.

Whilst the ruckus dies down the software giant says it is currently searching through its code for similar flaws and has updated its Security Development Life Cycle process to prevent similar problems occurring in the future.