MS Message Security Flaw Explained

Geoff Shively writes "Canadian security researcher Oliver Lavery published a fantastic paper on Win32 Message Vulnerabilities. The paper touches on a the Shatter problem that received much attention almost 1 year ago regarding the fundamental flaws in the Win32 API. Oliver's research demonstrates that the Shatter vulnerability is still very much in existence and quite a threat. Vendors need to wake up and work towards fixing this problem in their applications."

I'm glad to see other discussion of this.

[Futurepower(R)]

I had a section on the shatter attack and the messaging vulnerabilities in my paper, Windows XP Shows the Direction Microsoft is Going, but I got so much hostile feedback on message boards from people who said it did not exist, or it was not the fault of Windows, that I took the section out.

The shatter attack is a local attack only, that allows a logged-on user to elevate to administrator. Microsoft has recently (July 9, 2003) documented one messaging exploit: Flaw in Windows Message Handling through Utility Manager Could Enable Privilege Elevation (822679). But what does Microsoft know, right?

Apparently only two or three exploits of Windows messaging have been published. However, it seems reasonable that there are others.

The whole question gets some people very upset. They say that it is the fault of whoever wrote a vulnerable application. But look at what's in Windows memory at any one time. There is a huge amount of stuff written by numerous people. It seems to me that it doesn't matter to the user how the vulnerability got there, a vulnerability is a vulnerability. If you use Windows, you are trusting numerous programmers to know how to pass messages because there is no authentication system.

Consider this post by Uller-RM. He says, "... he [the attacker] adjusts the size of a textbox using an outside program to 4GB. (Windows unfortunately allows this, since the message format doesn't include a "sender" field to check against the owner handle.)".

Yes, it is unfortunate. And fixing it requires a rewrite of Windows that breaks all present applications. Am I wrong about any of this?

I'm not saying I understand everything about this, but I don't have time to investigate it further. I have to go back to writing a letter to a customer.

Re:Venders problem?

[pldms]

Why should venders fix this it an OS problem and Microsofts fault. Working around bugs only lead to more bugs and problems.

I agree absolutely. Letting any app call any function as described in the paper isn't a smart idea (I assume it predates multiple users in windows, but still...).

However Microsoft's advice is sound. Having setuid apps is always hairy - anyone remember Apple's moment of shame? There's a little bit of guilt on the vendor side, too.