[Microsoft] Windows can be "shattered", but MS not listening

The Inquirer ^ | 8-7-2002 | Mike Magee

[JameRetief]

Windows can be "shattered", but MS not listening

Flaws, not bugs are "unfixable"

By Mike Magee: Wednesday 07 August 2002, 09:36

A UK WEB SITE has posted what it claims is an analysis of the Windows 32 API and claims that there are inherent flaws which Microsoft knows all about, which are unfixable, but which the software giant is refusing to address.

The report follows Jim Allchin's statement under oath that some problems in Windows are so great that if the code were released, national security would be threatened.

The web page claims to give details of exactly how to exploit this type of flaw, and the author gives an example of how to elevate privileges.

He has written a sample application which he calls "Shatter" which he claims will allow hackers to elevate privileges.

But the author of the page says he has emailed Microsoft and told them how Windows code can be exploited.

He also says that Microsoft does not classify this type of attack as vulnerabilities. That, he adds, is just not true, and the Win32 API cannot be changed.

He has sent an email to several people and organisations, including Security Focus, to outline his findings.

While he says these kind of vulnerabilities have been discussed before, he says his is the first documented way to exploit the problem, which is not a bug, and which he says affects every Windows software package on the planet.

[JameRetief]

Ping!

[jlogajan]

This was already posted here somewhere. But anyhow, this sort of weakness only applies to viruses that have already gotten loaded on the PC in the first place. Well, heck, once a virus is on-board, you're scr*wed anyway.

[RedBloodedAmerican]

Which UK website?

[RedBloodedAmerican]

(pssstt...it's an anti-MS piece; so that makes it relevant!)

[JameRetief]

I did a search for any articles with "Windows" in the title, and none were found.

[E. Pluribus Unum]

Previous Thread

[JameRetief]

Sorry, the post should have included the link to the website"

You can find the Web page here. µ

I also asked the moderator to remove my post #7 (which was a direct copy and paste of another article) due to an inappropriate picture linked from the article. If you wish to read the other article, you can read it on The Register: Win32 API utterly and irredeemably broken

[goldstategop]

Its a theoretical concern at most. And well if hackers ever do manage to shut down every computer in the country it will be too late to worry about it.

[discostu]

There's no reason to read past the first sentence. If they're "unfixable" there's no way to "address" them. What's MS supposed to do, tell everybody to go to the competition until Longhorn is finished (which is supposed to break backward compatibility and should hopefully get rid of a lot of the legacy problems Windows has)?

[ShadowAce]

...which are unfixable, but which the software giant is refusing to address.

My first though, also. While I'm no huge fan of MS (Windows has its uses), how can the above even remotely make any sense?

[TechJunkYard]

If they're "unfixable" there's no way to "address" them. What's MS supposed to do...?

Really. This is a fundamental flaw in the way the API was designed, the way the desktop apps communicate with the O/S and the desktop shell, and it's in all Windows boxes all the way back to W95. Allchin was right in that this has some important national security implications, and I'd bet that it's only the tip of the iceberg.

So what can MS do? The only correct way to "address" this is a total re-design of Windows. (Throw away all of your desktop software.) Any other option is a work-around at best, and will break lots of apps which were written for the Win32 API as it is now. It's probably better to NOT touch it, as with an old building loaded with asbestos insulation, even trying to clean it up could be more dangerous than the current threat.

MS might know that they're backed into a corner here. Their only hope is to minimize the problem through propaganda, assuming (correctly) that most users won't understand the problem.

But the Admins in the field certainly will understand that all their hard work to secure their desktops can be un-done by a user within minutes.

Law #4: It doesn't do much good to install security fixes on a computer that was never secured to begin with. Yup!

I would not want a job at the Microsoft Security Response Center about now.

[discostu]

I'd take it even farther back, the problem go all the way back to DOS. There are negative side effects to downward compatibility, probably the two biggest ones are code bloat and bug carry over.

And the funny part is MS knows this. And apparently they're now doing something about it. They've said Longhorn will not be downwardly compatible (which has the negative side effect you listed: old software, what old software). The funny thing is if you look around the industry the same people that give MS tons of feces for their problems are ALSO complaining about the intention to end downward compatibility. It's solid proof that some people just hate MS and the company will never get their approval and the company shouldn't expend any effort trying to win that approval.

I think they're doing the only thing they can: fix what actually becomes a problem (as a QA guy I'm a firm believer in not fixing bugs nobody is going to run into, the important ones are the ones that will actually affect the customer) and ignore the rest. The could put the whole team to work making XP perfect and in a few years get accused of ignoring the changes in the market, or they can focus on making a new product (and finding a way not to kill the company when the break downward compatibility... can you say dual boot by default, embedding a Windows simulator still has too much potential to bring old bugs forward).

I have no sympathy for them, you make you're bed you've gotta sleep in it. But if the hecklers want to be relevant they need to keep their demands realistic. The MS hecklers can (and have) been a source for good in the Windows world (many will scream in pain on hearing that, too bad for them), but when you start demanding they address the unfixable you become irrelevant and whiny.

[general_re]

This is a joke. It relies on a couple of things being true before you can exploit it. First, it is in no way a remote exploit - you need physical access to the machine to pull it off. Hate to say it kids, but I'll break into virtually any machine I have unrestricted physical access to, I don't care what OS you're running.

Second, it relies on sh*tty programming by application vendors, not MS - there's no good reason for a app to expose LocalSystem-privileged functionality to a user with Guest privileges, and several good reasons not to. Patch McAfee's VirusScan to fix this retarded practice, and this problem goes away...

Third, it requires some level of access to the desktop, at least a guest account - if you're running 2K or XP and you haven't disabled the guest account, consider yourself on probationary staus pending a decision about whether you should be removed from the gene pool... :P

[TechJunkYard]

.. the problem go all the way back to DOS.

DOS had its own unique problems, mostly due to its history and legacy of being a single-user O/S. Microsoft's bread & butter has been Windows. And if Microsoft had put even half the effort/innovation into improving the product that it's devoted to maintaining its monopoly, it wouldn't be as disliked as it is today.

.. the same people that give MS tons of feces for their problems are ALSO complaining about the intention to end downward compatibility. It's solid proof that some people just hate MS and the company will never get their approval and the company shouldn't expend any effort trying to win that approval.

MS consistently shows that it doesn't need approval. WinME, WPA, Licensing 6.0 are all examples that MS doesn't CARE what its customers think; it's gonna do its own thing anyway, the critics be damned. It's an attitude thing, like a little puppy which was never appropriately disciplined for its messes and continues to mess. Now it's big enough that it cannot be tamed; it has taken over the house.

The MS hecklers can (and have) been a source for good in the Windows world..

Remember that it took until W95 OSR2 before MS got a clue and began encrypting passwords sent over the network.. even if they can't think ahead, they can (or at least DID) listen...

.. but when you start demanding they address the unfixable you become irrelevant and whiny.

Agreed... and I think that just indicates a misunderstanding of this problem.

[discostu]

But they wouldn't have as much money. Bad software decisions are sometimes good business decisions.

I think they're more interested in what the customer thinks than people give them credit for. They've let ME go away, remember Bob? They've actually put a lot of work into stability and usability in the last few years. There's a difference between the critics and the customers. In the long run I think 6.0 will blow over, it's really not that intense a EULA, it actually matches pretty closely the subscription EULA NAI has been using for a while. Again I think most of the complaining is about the company not the item.

[supercat]

Second, it relies on sh*tty programming by application vendors, not MS

The system default message handler for a textedit control will accept messages to adjust the box's maximum capacity, store the contents of the box to a specified address, and execute code at a specified address. Unless the application captures these messages and does not pass them through to the default handler, any application which uses one or more textedit controls may be taken over.

[this_ol_patriot]

I can take a sledgehammer and "shatter" any computer on the market and make it totally unusable. Bug or not?

[general_re]

And why exactly should an application that exposes text boxes to the user, such that it can be taken over in such a fashion, be running with greater privileges than that user himself? Isn't this a very good reason not to do that?

No, I still think this is a programmer's problem, not an OS problem - no service or software requiring or allowing user interaction should be running with greater privileges than the current user. If you have a program that requires such, it should be running as a non-interactive service in the first place.