Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Message Security Flaw Explained

Posted by timothy on from the the-fix-is-in-and-waddles dept.

Geoff Shively writes "Canadian security researcher Oliver Lavery published a fantastic paper on Win32 Message Vulnerabilities. The paper touches on a the Shatter problem that received much attention almost 1 year ago regarding the fundamental flaws in the Win32 API. Oliver's research demonstrates that the Shatter vulnerability is still very much in existence and quite a threat. Vendors need to wake up and work towards fixing this problem in their applications."

8 of 48 comments (clear)

  1. Venders problem? by Trevelyan · · Score: 3, Insightful

    Why should venders fix this it an OS problem and Microsofts fault. Working around bugs only lead to more bugs and problems.

    Reminds me of a CS class I once had, the lecture (admittedly a unix advocate) was explaining a problem with software deadlines. ie release now (for market reasons) and fix problem later:
    -MS build next version of Windows and Office at same time, so that they can release together.
    -Office is tested on beta versions of windows, which obviously has bugs, the Office peeps work around the bugs.
    -mean while the windows peeps fix the bugs
    -near release office found not to work right because it is trying to work around bugs which aren't there. (Why they let an Office app play voodoo with the OS is up to you to decide)
    -need to release on time, so put bugs back in windows problem sorted.

    It will be difficult for MS to fix the message system w/o breaking old apps.

    1. Re:Venders problem? by pldms · · Score: 2, Informative

      Why should venders fix this it an OS problem and Microsofts fault. Working around bugs only lead to more bugs and problems.

      I agree absolutely. Letting any app call any function as described in the paper isn't a smart idea (I assume it predates multiple users in windows, but still...).

      However Microsoft's advice is sound. Having setuid apps is always hairy - anyone remember Apple's moment of shame? There's a little bit of guilt on the vendor side, too.

      --
      Slashdot looked deep within my soul and assigned
      me a number based on the order in which I joined
    2. Re:Venders problem? by David+Leppik · · Score: 3, Interesting
      It's not an OS "problem" -- it's a design issue. The "desktop" is designed to be a security boundary within which programs can send each other I/O. If you insist on running a privileged program within the desktop, you deserve what's coming.
      The original author even indicated that Unix/X11 probably suffers from the same issue, except there's no exploit code yet. Anyway, it's like running "pine" as root, and then blaming Unix when the user shells out somehow.
      This is a well-known and very old problem with the design of X. I heard about it in college, back in the early '90s. If you were to design a windowing system these days, you might be smart enough not to use function pointer addresses in shared memory for interprocess communications. But back when X (and windows) were first desgined, they had neither CPU cycles nor the memory to do it right. Arguably X had less excuse for poor security, since it was designed as a multi-user system for running GUIs across the Internet.
  2. Re:Flawed from the beginning by ClosedSource · · Score: 2, Insightful

    Obviously to be backward-compatible with legacy apps that go back a lot further than 1993. Even in 1993 most PC's were not connected to the Internet, so the risk was pretty remote at that time. It's still fairly remote even now.

  3. I'm glad to see other discussion of this. by Futurepower(R) · · Score: 4, Informative


    I had a section on the shatter attack and the messaging vulnerabilities in my paper, Windows XP Shows the Direction Microsoft is Going, but I got so much hostile feedback on message boards from people who said it did not exist, or it was not the fault of Windows, that I took the section out.

    The shatter attack is a local attack only, that allows a logged-on user to elevate to administrator. Microsoft has recently (July 9, 2003) documented one messaging exploit: Flaw in Windows Message Handling through Utility Manager Could Enable Privilege Elevation (822679). But what does Microsoft know, right?

    Apparently only two or three exploits of Windows messaging have been published. However, it seems reasonable that there are others.

    The whole question gets some people very upset. They say that it is the fault of whoever wrote a vulnerable application. But look at what's in Windows memory at any one time. There is a huge amount of stuff written by numerous people. It seems to me that it doesn't matter to the user how the vulnerability got there, a vulnerability is a vulnerability. If you use Windows, you are trusting numerous programmers to know how to pass messages because there is no authentication system.

    Consider this post by Uller-RM. He says, "... he [the attacker] adjusts the size of a textbox using an outside program to 4GB. (Windows unfortunately allows this, since the message format doesn't include a "sender" field to check against the owner handle.)".

    Yes, it is unfortunate. And fixing it requires a rewrite of Windows that breaks all present applications. Am I wrong about any of this?

    I'm not saying I understand everything about this, but I don't have time to investigate it further. I have to go back to writing a letter to a customer.

  4. or perhaps... by dh003i · · Score: 2, Insightful

    it's that we want to see the flaws in MS because we dislike their software for practical and ethical reasons.

    However, pointing out flaws in MS software only helps MS. Very few people will change from MS to anything else, no matter how many flaws there are on it. It came with their computer, and they are of course too stupid (or so they think) to do anything else without borking their computer. So, by act of god, they're stuck with MS.

    And, of course, MS can take any criticism of its software and use that to better its software. When confronting an opponent, you don't tell him of all the weaknesses you see, do you?

    --
    social sciences can never use experience to verify their statemen
  5. Re:Limiting scope of messaging? by Webmonger · · Score: 2, Insightful

    Providing an authority context in the message solves the problem by putting the burden on vendors. Remember, vendors were s'posed to be avoiding this problem already, by using a non-privelaged UI (like, say, SSH does).

    Since vendors don't place a high enough priority on security, it seems like someone is going to have to take care of it for them. If a program wants to accept messages other programs it should declare so explicitly.

    Otherwise, what's to prevent a trojan from using QuickBooks to find out your credit card number? Both programs probably have the same privilages, but QuickBooks has access to data that no other program should have. Ad hoc scripting, by definition, permits this possibility.

    Finally, I seriously question the value of accepting messages from other programs that cause you to execute a function of the other program's choosing. I can't see any legitimate use for this that justifies the risk.

  6. Is it really that simple? by Futurepower(R) · · Score: 2, Interesting

    Is it really that simple? Windows has numerous system windows that are hidden, that, according to the developer of the shatter attack, could also be used to implement the attack. My understanding is that Linux and BSD have nothing like that. In Windows, system windows are used for other purposes than GUI display.