“This paper presents a new generation of attacks against Microsoft Windows, and possibly other message-based windowing systems. The flaws presented in this paper are, at the time of writing, unfixable. The only reliable solution to these attacks requires functionality that is not present in Windows, as well as efforts on the part of every single Windows software vendor.” Read the paper over at Tombom.co.uk. In the meantime, another flaw affects Windows 2000, Linux and MacOSX.
Exploiting Design Flaws in the Win32 API for Privilege Escalation
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
To my understanding it is a flaw in some software’s use of the Windows messageing API. Apparently, you cannot use this attack on any of MS’s apps. Apparently some programs are using parts of the messaging system they shouldn’t. BTW this is how a CS friend at school explained it to me.
The paper at http://security.tombom.co.uk/shatter.html is not the same
issue as http://www.extremetech.com/article2/0,3973,440006,00.asp
Eugenia, you might want to update the text. The xdr_array bug in the Sun library affects Windows, Linux, and Mac OSX.
Shatter is specific to the Win32 API.
Yes, I know. I never said that the two flaws are related!!
I just put the two distinct security issues in one and same article, because I do not want to have two different articles today on security.
I hate security articles. I find them boring to death.
The second one is actually quite interesting.
It’s a flaw in Kerberos library published under GNU license.
If Microsoft admits that their code vulnerable , then it means that they violated GNU Public License !
No, it wouldn’t really mean that MS violated GPL.
If you read the article, under the Systems Effected area, it states:
Applications using vulnerable implementations of SunRPC-derived XDR libraries, which include, but are not limited to:
Sun Microsystems network services library (libnsl)
BSD-derived libraries with XDR/RPC routines (libc)
GNU C library with sunrpc (glibc)
Nothing like a horrible, horrible legacy architecture showing its age. It’s funny to think that applications register timers with the display server itself, since without multitasking that’s the way it had to be done. Without any permissions, any application can get any other application to jump to an arbitrary address.
I mean, if nothing else, this means if you can get a handle to the message queue of any application, you can crash it by making it jump to a garbage pointer.
You right,
I was jumping the gun. After careful reading I cannot even say what license Kerberos 5 is using.
It’s not actually clear that Microsoft has this flaw at all.
So Eugenia’s statement “In the meantime, another flaw affects Windows 2000, Linux and MacOSX” is incorrect.
It may affect or may not.
Actual list of affected systems is different and it’s a shame for OS centric news to be so ignorant about other OSes.
Here is actual list:
IBM AIX is affected, fix is in process
HP UX – may be
Win2K – may be
Apple MacOS X – fixed,
Sun Solaris – affected, fix is in process
Linux – affected, fix is in process
*BSD – fixed.
SGI – may be
>So Eugenia’s statement “In the meantime, another flaw affects Windows 2000, Linux and MacOSX” is incorrect.
I used the headline as found on the linked site. That was not exactly my text. Go get a life outside for a minute, instead of critisizing each and every little shit you find online.
Exploiting the messaging infrastructure in Windows as some sort of critical security deficiency is stupid propaganda designed to support the adoption of Palladium and other secure operating systems.
Microsoft itself has documented the messaging system for years and given examples of how to customize/control applications, controls, dialogs, etc., using the features of the messaging API. Even how to change selectors from code to data and vice versa — PrestoChangoSelector() comes to mind.
Outside of high-security operating systems, I don’t think there is any OS that does extensive security validation of their internal APIs. You could put a debugger hook into just about any app and hijack it to incorporate your own code wherever you want.
Just who is having all these problems with malevolent applications taking over their systems? No one I know. The whole thing smells fishy to me.
#m
The people from Heise news claim that Windows WM_TIMER messages allow to call back processes in an unchecked manner, possibly raising the security priviledges of the callback routine:
http://www.heise.de/newsticker/data/ps-08.08.02-000/
Regards,
Marc
Sorry, I messed up my email address.
As replies has already pointed out no Microsoft software is vulnerable to this security escalation issue, nor would any proper software be. The thing is that some badly behaved software (why do you think the author of the softare ended up giving one single example and a not all that common anti-virus program of all things too?) have this problem.
The thing is that the proper way to do things is to not run any GUI’s at LocalUser privilege, it is like having random end user programs with suid really
Also that it is unfixable is completely insane of course, there are a few very specific messages that are problematic and blocking the sending of them from windows without to windows with LocalUser should be disallowed which would be trivial to implement.
And finally, local privilege escalation holes are common, nothing to make a big fuss about, and for this hack you even need local access. When someone has local access you are alerady screwed really.
It is very clear to me that, there is no security flaw in the API itself. It is basically a flaw in the software which doesn’t properly use the API. If this is a flaw then we also have big flaws in other operating systems too, i.e setsuid.
I am sick of reading stupid claims, absurd stories against Microsoft. In my mind Microsoft became the victim, where every other creature in the world made its number one job to say almost anything against this poor company. Please, as a serious site you at least stop doing that and post something true, meaningful.