Windows Vista still Rife with Insecure Code

osxpetition writes "As noted in a News.com article, Symantec researchers have been testing the latest Microsoft Windows Vista build (Beta 2), and have found that the code is 'complete with new corner cases and defects' in the networking component. Symantec describes how Microsoft scrapped the old networking stack code from Windows XP in favour of newer, rewritten code. 'Microsoft has removed a large body of tried and tested code and replaced it with freshly written code.' Since January 2002, Microsoft has put a stronger emphasis on protecting PCs by attempting to implement stable, secure code into Windows XP and their new operating system. This latest report from Symantec brings attention to Microsoft's trustworthy computing campaign, and shows how it will be a long way before it is ready for the mainstream."

Re:I would like to know

[kevin_conaway]

I would like to know If the so-called shatter attack still works in Vista. If it does, no amount of privilege limitation can help you.

Since you didn't provide any useful context to your question, allow me. From here:

Chris Paget says there is an irreparable hole in Win32. Any application can send a message to any window on the same desktop regardless of whether or not the window is owned by the application, and there is no authentication mechanism to prevent this from happening. Paget has published a white paper describing a "shatter attack" which allows an attacker to gain control of a system by elevating his or her privileges. Microsoft says this does not fit their criteria/definition of a security vulnerability.

Shatter attack

[Kadin2048]

I had never heard of such a thing before (actually, initially I thought you were just punning on Windows + 'shattering', har har).

It would seem that Vista allegedly fixes the design flaw that allows for the attack, by not running system services in the same session as the user. At least, that seems to be what the Wikipedia article on the topic is suggesting.

The key to shatter attacks is that Windows allows processes running in the same session to pass messages between each other, the result of which is that via code injection, any process can escalate up to the level of the highest process also running in its session. MS is quoted in the article as saying "[This is not] a flaw in Windows. In reality, the flaw lies in the specific, highly privileged service. By design, all services within the interactive desktop are peers, and can levy requests upon each other. As a result, all services in the interactive desktop effectively have privileges commensurate with the most highly privileged service there." (Which is amusingly doublespeak-ish; they're saying "this isn't a design flaw, we designed it that way!")

This blog post by a member of the IE7 team would confirm that they've at least tried to address this in Vista (but of course that's what you'd expect them to say). It says: "User Interface Privilege Isolation (UIPI) blocks lower-integrity from accessing higher-integrity processes. For example, a lower-integrity process cannot send window messages or hook or attach to higher priority processes This helps protect against "shatter attacks." A shatter attack is when one process tries to elevate privileges by injecting code into another process using windows messages."

Yet another nice legacy "feature" from the single-user-OS days.

Re:beta

[CaymanIslandCarpedie]

FTA:Symantec researchers put the networking technology in Vista under a magnifying glass to determine its exposure to external attacks. The team said it found several flaws in build 5270 of Vista and even more in earlier test versions. However, these were all fixed by Microsoft in build 5384, the version of the operating system that was publicly released in May as Beta 2.

For those too lazy to read the article all it really says is. We found a few issues in early releases of Vista. They've already all been fixed by Beta 2, but we are guessing there are probably more.