Quote:
"Unfixable" flaw breaks Microsoft's Windows
By David Cohen
An "unfixable" flaw that leaves your desktop PC open to serious abuse has been exploited in Microsoft's Windows operating system. The trick could be used by an attacker to discover your passwords, copy your files or even format your hard disk.
Chris Paget, a freelance computer security consultant based in London, revealed the exploit in a paper published on the net on Tuesday. He claims it is the first time this flaw in Windows has been exploited. Paget says he began the research after a Microsoft vice president Jim Allchin told a court in May that errors had been identified in Windows but should not be revealed for security reasons.
When a user logs on to a Windows machine, he or she is granted a certain level of privileges that governs which files you are allowed to access and what sort of operations you can perform on those files.
Paget, who goes by the hacker handle 'Foon', logged on to a system as a guest user - normally granted minimal privileges - and by exploiting the flaw managed to increase his privilege level to 'local system', the highest level possible. This gave him complete access to everything on the machine and potentially to other machines on the local network.
Security boundary
He could then perform any operation on the local machine he liked, including formatting the hard disk, creating new users and hiding "keyboard sniffer" programs to capture passwords of people subsequently using the machine. Blocking the exploit would mean rewriting the Windows core program and all the applications using it.
In a statement issued to New Scientist, Microsoft said: "Based on an exhaustive review of both the theoretical and practical impact of the proposed scenario, we believe that it does not meet Microsoft's definition of a security vulnerability."
The company argues that "the desktop is the security boundary for windows messages", so if an attacker has access to the desktop then a security breach has already occurred.
However, hackers have frequently accessed desktops in the past by exploiting other security holes, and Paget's exploit means they could cause more damage when they do. Employees of large companies might also be able to access prohibited parts of their networks.
Message flow
The flaw exposed by Paget is part of the fundamental design of the Windows operating system. It is contained within the mechanism that controls the flow of messages between different windows on the desktop. This is called the Win32 API and has remained unchanged since 1993.
Critically, the Win32 API system does not authenticate the messages, so cannot distinguish messages from malicious or legitimate sources. This allowed Paget to select a window with the highest privileges and surreptitiously embed a malicious piece of code. When executed, the code would increase his user privileges to the maximum given to that window.
But how could he run that code? Paget also found that by sending a special message, called WM_TIMER, he could cause the window to run the piece of code he had previously embedded in the window's memory.
"This is the really stupid thing that Microsoft lets you do," he says. "The fact that you can cause a window to execute a random piece of code is the key to taking control of the machine."
Microsoft says that the programmers of third party software should limit the windows in their programs to having only user privileges. However, Windows 2000 itself uses windows that have top-level privilege.
