Funny, I never saw "***NOW INCLUDES BACKDOOR FOR FREE!!!***" on windows packages.

Slashdot is running a story with a transcript of an interview with Steve Gibson, where Steve alleges that the recent vulnerability has to be deliberate. A summary of his reasoning is:

- WMF meta files do not need a Escape/SETABORTPROC call back hook meant for printer drivers

- in order for the vulnerability to be exploited, not only do you have to use a command that does not make sense for downloadable graphics metafile, you have to use it with an illegal length '1' that must be used to flag it to invoke the code

For all we know, it was a backdoor put in by a summer intern - however most of you do not know that I am also a software architect / systems analyst, and it boggles my mind to think that such a code path would escape code review.

There would literally have to be some code in windows something like the following pesudo code:

while (metafile_not_done) {

    switch (metafile[COMMAND_CODE]) {

         case SETABORTPROC:

              if (metafile[length] == 1)

                   CreateThread(&(metafile[length]+1),.........);

                   break;

     }

}

That is NOT something that would have survived one of my code reviews, nor can it be explained as an accidental bug.

The two likeliest explanations are those suggested by Steve:

- someone at Microsoft added it without managements approval and it slipped thru the cracks

- it was deliberately added by Microsoft as a back door for itself - honestly, I don't know why they would bother, Windows Update could be used to execute code on your machine any time it checked for fixes

Food for thought.