Home About UsOur mission, Our name, Contacting us Events & Topics Articles Business General Technical Surveys FAQ

Windows Shatter Attack

by Ed Sawicki
Accelerated Learning Center
Tailored Computers

August 15, 2002

SANS included this item in their broadcast yesterday:

 Researcher Claims Win32 Messaging System is Irreparably Flawed

 Chris Paget says there is an irreparable hole in Win32. Any  application can send
 a message to any window on the same desktop regardless of whether or not the window
 is owned by the application, and there is no authentication mechanism to prevent
 this from happening. Paget has published a white paper describing a "shatter attack"
 which allows an attacker to gain control of a system by elevating his or her
 privileges. Microsoft says this does not fit their criteria/definition of a security
 vulnerability.

http://www.theregus.com/content/55/25883.html


http://news.zdnet.com/2100-1009_22-948931.html

 [Editor's Note (Murray): The messaging system works as documented. What Paget proposes
 to exploit is a documented feature. One of the things that makes it "irreparable" is that
 it is widely used in ways that do not compensate for its fundamental vulnerability. What
 Paget describes is an attack that might permit an otherwise unprivileged, but identified
 and authenticated, user in a multi-user system to assume the privileges and identity of
 another more privileged user. However, such a user is not an arbitrary "attacker" as our
 abstract might be read to say. And the Messaging System is not one between users but one
 between operating system objects.]

All parties are correct here but, in my view, Chris Paget is the most correct. I'm a little surprised that Murray tries to minimize the problem. If you're having trouble understanding the implications of the technical aspects of this issue, I can simplify it. The vulnerability suggests that a WIN32 platform is one that shouldn't be used when programs or services must have high assurance that they can't be attacked by other programs running in the same computer. See the comparison Chris makes between WIN32 and X for added perspective.

Given that most Microsoft services, such as IIS, Exchange, SQL Server, etc. have had serious security issues, (which may be unrelated to this vulnerability but there's a boatload of vulnerabilities left to discover in their closed source) here are two rules that make sense:

1. DON'T USE WINDOWS FOR SERVERS if you run more than one program or service on a single computer.
2. If you must use Windows for your servers, PUT IMPORTANT SERVICES ON SEPARATE COMPUTERS.

Of course, the obvious third rule is to replace your Windows servers with a more secure OS, like Linux, FreeBSD, NetWare, Solaris, etc. If you have serious security requirements, consider SELinux from the NSA.

As for desktop computers, this vulnerability is just another in a sea of serious Windows security issues. Windows desktops will never be secure. Deal with it.

Back