Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Message Security Flaw Explained

Posted by timothy on from the the-fix-is-in-and-waddles dept.

Geoff Shively writes "Canadian security researcher Oliver Lavery published a fantastic paper on Win32 Message Vulnerabilities. The paper touches on a the Shatter problem that received much attention almost 1 year ago regarding the fundamental flaws in the Win32 API. Oliver's research demonstrates that the Shatter vulnerability is still very much in existence and quite a threat. Vendors need to wake up and work towards fixing this problem in their applications."

3 of 48 comments (clear)

  1. Venders problem? by Trevelyan · · Score: 3, Insightful

    Why should venders fix this it an OS problem and Microsofts fault. Working around bugs only lead to more bugs and problems.

    Reminds me of a CS class I once had, the lecture (admittedly a unix advocate) was explaining a problem with software deadlines. ie release now (for market reasons) and fix problem later:
    -MS build next version of Windows and Office at same time, so that they can release together.
    -Office is tested on beta versions of windows, which obviously has bugs, the Office peeps work around the bugs.
    -mean while the windows peeps fix the bugs
    -near release office found not to work right because it is trying to work around bugs which aren't there. (Why they let an Office app play voodoo with the OS is up to you to decide)
    -need to release on time, so put bugs back in windows problem sorted.

    It will be difficult for MS to fix the message system w/o breaking old apps.

    1. Re:Venders problem? by David+Leppik · · Score: 3, Interesting
      It's not an OS "problem" -- it's a design issue. The "desktop" is designed to be a security boundary within which programs can send each other I/O. If you insist on running a privileged program within the desktop, you deserve what's coming.
      The original author even indicated that Unix/X11 probably suffers from the same issue, except there's no exploit code yet. Anyway, it's like running "pine" as root, and then blaming Unix when the user shells out somehow.
      This is a well-known and very old problem with the design of X. I heard about it in college, back in the early '90s. If you were to design a windowing system these days, you might be smart enough not to use function pointer addresses in shared memory for interprocess communications. But back when X (and windows) were first desgined, they had neither CPU cycles nor the memory to do it right. Arguably X had less excuse for poor security, since it was designed as a multi-user system for running GUIs across the Internet.
  2. I'm glad to see other discussion of this. by Futurepower(R) · · Score: 4, Informative


    I had a section on the shatter attack and the messaging vulnerabilities in my paper, Windows XP Shows the Direction Microsoft is Going, but I got so much hostile feedback on message boards from people who said it did not exist, or it was not the fault of Windows, that I took the section out.

    The shatter attack is a local attack only, that allows a logged-on user to elevate to administrator. Microsoft has recently (July 9, 2003) documented one messaging exploit: Flaw in Windows Message Handling through Utility Manager Could Enable Privilege Elevation (822679). But what does Microsoft know, right?

    Apparently only two or three exploits of Windows messaging have been published. However, it seems reasonable that there are others.

    The whole question gets some people very upset. They say that it is the fault of whoever wrote a vulnerable application. But look at what's in Windows memory at any one time. There is a huge amount of stuff written by numerous people. It seems to me that it doesn't matter to the user how the vulnerability got there, a vulnerability is a vulnerability. If you use Windows, you are trusting numerous programmers to know how to pass messages because there is no authentication system.

    Consider this post by Uller-RM. He says, "... he [the attacker] adjusts the size of a textbox using an outside program to 4GB. (Windows unfortunately allows this, since the message format doesn't include a "sender" field to check against the owner handle.)".

    Yes, it is unfortunate. And fixing it requires a rewrite of Windows that breaks all present applications. Am I wrong about any of this?

    I'm not saying I understand everything about this, but I don't have time to investigate it further. I have to go back to writing a letter to a customer.