On NOW at RadioFR!
Tonight The Shrew will host William S. Lind of the Free Congress Foundation on Radio Free Republic! Tune in to hear one of the foremost military writers discuss the article he has co-written with Paul Weyrich!
Posted on 08/06/2002 5:42:07 PM PDT by Amerigomag
Introduction
This paper presents a new generation of attacks against Microsoft Windows, and possibly other message-based windowing systems. The flaws presented in this paper are, at the time of writing, unfixable. The only reliable solution to these attacks requires functionality that is not present in Windows, as well as efforts on the part of every single Windows software vendor. Microsoft has known about these flaws for some time; when I alerted them to this attack, their response was that they do not class it as a flaw - the email can be found here. This research was sparked by comments made by Microsoft VP Jim Allchin who stated, under oath, that there were flaws in Windows so great that they would threaten national security if the Windows source code were to be disclosed. He mentioned Message Queueing, and immediately regretted it. However, given the quantity of research currently taking place around the world after Mr Allchin's comments, it is about time the white hat community saw what is actually possible.
For the rest of the article (the how to) go to the URL.
(Excerpt) Read more at security.tombom.co.uk ...
Keep hoping, slashdotters. It will probably be fixed before your sixteenth birthday.
On NOW at RadioFR!
Tonight The Shrew will host William S. Lind of the Free Congress Foundation on Radio Free Republic! Tune in to hear one of the foremost military writers discuss the article he has co-written with Paul Weyrich!
A balance between boring the average consumer (see reply #2) with a long, techincal title and advising the MS system administrators among us of the potential exploit.
What the evil progeny fails to mention is the degree of OS corruption which occurs when running System-level script from IE to Outlook, etc. It 'breaks' the OS installation, which imo explains his name for the exploit.
My prediction: He gets sued-to-H and dies a poor and broken fool. To H with jerks like him.
Trojans could always do just about anything they wanted to, breaking the OS in a wide variety of ways.
Am I mistaken?
It is clever to hide the executing code in a window like that. But if you can run an executable on someone's machine, you can do so many evil things . . .
Are you referring to the hacker who warned MS and then published the exploit or the MS executive who denied the exploit was a flaw and did not advise his customers of the potential for the problem.
Publishing potential exploits without susbstantial consequence has been commonplace in the past. This circumstance is different however because the patch is a serious limitation on the system and tears the flexibilty out of the heart of the system administration.
In your particular circumstances, until you figure out a way to authenticate system messaging (apparently impossible), you are essentially operating some 260 odd, stand alone PCs which communicate to your company servers at the same level of risk presented by the internet.
Your only level of control rests with your personel department who should not be hiring any individual with programming skills approaching those of a script kiddie. Maybe your company could refuse to hire anybody under 50 years of age.
Well, you seem to have the crux of the problem there. The permissions elevation comes via an open window, usually an html where the windows' permission is bound to malicious script using the Shatter script. So one method would be to send a virus with the shatter script via e-mail. The shatter script would bind the System-level permissions from an open html window to the virus which is then sent back to Outlook and attached to say, the signature file and mailed out via Contacts or PAB to be run as System on the recipients' computers. The virus would then execute at System level and, in effect destroy the OS. At System level viruses can do anything.
Imo by using Shatter script viruses are no longer dependent upon careless users or some 'flaw' or security hole in Windows. I'm fairly sure I've worked 2 cases of Shatter in the last 2 days which would mean they went thru a firewall and network virus scanner. The viruses were crude and were fixed with a chkdsk /f /v /r but the OSes will likely need to be reinstalled since Task Manager is showing excessive kernal times i.e corruption, and programs are repeatedly breaking down.
Unless fixed the possibilities of future MS viruses using shatter script will be endless. There is no patch for the vulnerability since it is inherent to the OS. I imagine MS could make the type of process buffer you mention and incorporate it into a service pack. Perhaps a journal for System processes?
As a closed source OS I'm sure MS didn't anticipate this being discovered. Nor do I think they could be held liable for another's exploit or work. No doubt there are thousands of such design flaws in the code since it was never expected to run in the open. It's just a pain in the butt for those of us who have to deal with this (and these Freaks) on an almost daily basis. As if my customers' Desktop themes weren't enough....
Anyway, his exploit requires your machine to already be insecure (you need to run his app) so you're already in trouble.
Here's a link to his "I'm getting canned, need a new job" post on securityfocus.com in July 2001: Looking for security research.... Guess he's been on ice for a year and needed to make a big splash.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.