MS Message Security Flaw Explained

Geoff Shively writes "Canadian security researcher Oliver Lavery published a fantastic paper on Win32 Message Vulnerabilities. The paper touches on a the Shatter problem that received much attention almost 1 year ago regarding the fundamental flaws in the Win32 API. Oliver's research demonstrates that the Shatter vulnerability is still very much in existence and quite a threat. Vendors need to wake up and work towards fixing this problem in their applications."

Venders problem?

[Trevelyan]

Why should venders fix this it an OS problem and Microsofts fault. Working around bugs only lead to more bugs and problems.

Reminds me of a CS class I once had, the lecture (admittedly a unix advocate) was explaining a problem with software deadlines. ie release now (for market reasons) and fix problem later:
-MS build next version of Windows and Office at same time, so that they can release together.
-Office is tested on beta versions of windows, which obviously has bugs, the Office peeps work around the bugs.
-mean while the windows peeps fix the bugs
-near release office found not to work right because it is trying to work around bugs which aren't there. (Why they let an Office app play voodoo with the OS is up to you to decide)
-need to release on time, so put bugs back in windows problem sorted.

It will be difficult for MS to fix the message system w/o breaking old apps.