Windows Flaw Remains
Web Design & Technology News, July 11, 2003

July 11, 2003

A class of attacks that allows a person to take control of any PC or server could leave computer systems in corporations and Internet cafes vulnerable to attack, a researcher says.
By Robert Lemos

Dubbed "shatter" attacks by the original discoverer, the class of security hacks uses the Windows messaging system to request that insecure but privileged applications run malicious code. The Windows messaging system is the medium through which applications and the Windows operating system communicate with each other.

Oliver Lavery, an independent researcher and author of a paper published by security consultancy iDefense on Friday, said that Microsoft fixed the original flaw found but left the basic messaging system untouched. Applications that run with system privileges but don't follow Microsoft's recommended security practices allow the vulnerability to be exploited.

"I think the point that many people have missed in the past is that this is not a single attack, it's a type of attack," Lavery wrote in an e-mail interview. "Taken alone, each instance of a shatter attack is a problem, but not a critical one. The fact that this type of hole is present in many applications, including parts of Windows itself, makes the problem much more serious."

Because the vulnerability requires that a user on the system run the attack code, many people dismissed the attack as unimportant when a researcher released two papers on the issue last year.

No wonder: The vast majority of home users have full administrator rights on their PCs, making privilege escalation a moot attack. However, many corporations only allow employees to have limited user accounts, while kiosks, libraries and Internet cafes usually don't allow people to modify the system. Such situations are where privilege-escalation attacks are most dangerous, Lavery said.

"With modern Windows versions, a normal user account isn't permitted to, say, format the drives in a computer. This sort of function should be restricted to administrators," he said in the e-mail. "Shatter attacks allow this restriction to be circumvented, so a hostile program which exploits a shatter vulnerability can do far more damage than one that does not."

Chris Paget, a security researcher, originally wrote about the "shatter" privilege-escalation attacks last fall.

"The root cause of the problem is that any application can send any message to any other application on the same desktop," said Paget, now a senior security consultant with Next-Generation Security Software. "When the target application receives a message, it has no way of discerning whether the message was sent to it by the system or by another process."

However, the direness of his warnings and the fact that several errors were found with some of his claims led many people to debate the importance of the research. Microsoft's initial dismissal of the paper reinforced that.

The software giant discounted the threat because an attacker would require "unrestricted physical access to your computer" to use the exploit, the company argued in a statement sent last year.

Microsoft's tune changed a few months later. In December, the company issued a patch that fixed the instance of the problem that Paget had identified. On Wednesday, Microsoft corrected another instance of the vulnerability when it closed a hole in the Utility Manager, which was included in Windows 2000 to handle accessibility options for PCs.

Ian Mulholland, security program manager for the Microsoft Security Response Center, said that the software giant had needed time to investigate the issue before it realized the danger.

Moreover, Mulholland said that application makers that follow Microsoft's security guidelines would not have vulnerable applications. The company has long recommended that software makers not use the messaging system for highly privileged applications. At least a handful of developers still haven't adopted this basic measure of protection.

"We published a Knowledge Base article on this back in 1994--that recommendation well predates this instance," he said. "At the end of the day, we can make the recommendations, but if people choose to do otherwise, we can't force them."

Researcher Lavery said he understands the problems in fixing the flaw. The solution would require an extensive rewrite of vulnerable applications. In his paper, Lavery suggests a temporary solution, but it's likely that the issue will remain until all software makers improve the security of their code, he said.

"The fact that numerous applications are written in a manner that is vulnerable to message-based attacks is not due to a fundamental flaw in Windows," he wrote. "The flaw lies in the way programmers are writing software that runs on it."