Shattering Windows

ChrisPaget writes: "I've just released a paper documenting and exploiting fundamental flaws in the Win32 API. Essentially, they allow you to take control of any window on your desktop, regardless of whether that window is running as you, localsystem, or anywhere in between. The technique has been discussed before, but AFAIK this is the first working exploit. Oh, did I mention it's unfixable?" You may want to read this CNET interview with Microsoft security head Scott Charney to learn even more about "trustworthy computing."

Someone discovered Windows is insecure.

[SpanishInquisition]

Film at 11

Isn't this in the EULA anyway?

[Dynamoo]

"Essentially, they allow you to take control of any window on your desktop".. sounds like it's straight out of Microsoft's new EULAs.

EASY!

[mekkab]

(RING!)

ME) Hello, Mr. Hockenblock?
MR HB) yes?
ME) Our network associates have found a bug in the network system.

MR HB) Oh, really?
ME) Yes, it seems there is a particularly nasty roving virus that when it hits your system through an open port, can cause your computer to get stuck in an n-th complexity infinite binary loop*

*- note blatantly stolen bogus virus description! (see: good times virus warning)

MR HB) Dear lord, no!
ME) any ways, there is a way to fix it.
MR HB) How?!
ME) just got to http://www.eye.0wn.j00.com and download and run the files there.
MR HB) thanks!
ME) please tell all your friends.
MR HB) I will!

Evolving Concepts at Microsoft are Frightening

[guttentag]

We're doing this thing called "Trustworthy Computing." It's an evolving concept.

It starts out meaning "We are worthy of your trust."

Then it evolves to mean "You trust us."

Then it evolves to mean "You trust only us."

Then it evolves to mean "All your base are belong to us."

I think I'm safe

[bsharitt]

As long as this doesn't affect DOS 2.1, my server farm should be safe.

no, no.....

[Lord_Slepnir]

Their EULA reads "Essentially, you will allow us to take control of any window on your desktop." Glad I could clear that up.

High opinion

[timothy_m_smith]

Here is what the author had to say about himself at the end of the paper:

Foon, AKA Chris Paget, first started programming on a ZX81 at the age of 4. He's been working with computers for longer than most of the bosses he's had. After extending a BBC B to include an ADC capable of filling the machine's memory in less than 2 seconds and scaring the cleaners with automated voice warnings when they entered his room, he got bored and moved onto PC's and Windows, where the majority of his skills lie. Able to program in 23 languages on 14 platforms, Foon takes an average of 3 days to learn a new programming language. He's currently available as a freelance security consultant - his CV is available on request.

Aren't we the most important programmer ever!

Re:Take control?

[Anonymous Coward]

bah. thats nothing.
check mine out.
Original Install Date: 2/1/2000, 01:42:37 PM
System Up Time: 700 Days, 8 Hours, 4 Minutes, 15 Seconds
C:\> ver

Windows 98 [Version 4.10.2222]

Re:Scott Charney

[Anonymous Coward]

Oops--my cat jumped on the keyboard and submitted my post before I got into my favorite Scott Charney anecdote. Back in the U. Mich. [umich.edu] days, Scott and I were discussing userspace security in the Win32 API. Scott wanted a little bit of time to think over my suggestion about modifications to msgsrv32.dll, so I excused myself. As I stood up to leave Scott said "Your barn door is open". Before I could look down to check, Scott yanked on my waistband and poured a bowl of hot grits down my pants. It was sticky and hot.

Oliver u r teh TRLOL.

Re:High opinion

[Anonymous Coward]

He also has never talked to, nevermind had sex with, a woman. He finds that he has trouble making friends, partially because of his inability to talk about anything besides the 23 languages and 14 platforms he can program for, and the onion-like smell which lingers behind is unshaven, rarely cleaned body. In order to make up for his indescribably small penis, Chris brings up debate in favor of technologies to boost his ego such as functional programming, UNIX, and any one of the 23 languages on 14 platforms already mentioned twice before that he can program for and you can't.

Windows Exploit - most dangerous!

[teamhasnoi]

Look for a period by itself on the bottom left of the screen. It looks like an off-pixel. Hold down "Shift", then click on it.

Bam! Root access.

This works on the systems of the DMV, FBI, DOD, Equifax, Telephone and Utillity companies.

I couldn't believe it myself! I said, "This is so easy, even Sandra Bullock could hack this!"

Re:Don't Do That

[handorf]

How dare you have a reasonable opinion on slashdot! My army of trained flamemeisters has been dispatched to beat you about the head and neck with copies of "The Road Ahead"

Windows is insecure. Linux is insecure. PROGRAMS are insecure.

Re:the basic problem

[-Harlequin-]

True- if you take a company of nothing but engineers, you'll have a product nobody understands how to use, and nobody can sell. But if you have a company of nothing but MBA's and Lawyers, you have a company that sells nothing but a lot of vapor and hype. This is the personification of Microsoft.

And if you have a company of nothing but marketers and sales, you'll also sell nothing but a lot of vapour and hype. But you'll sell an awful lot of it...

Re:High opinion

[greygent]

This poster finds it narcissistic and silly that the author wrote about herself in the 3rd person.

Re:Don't Do That

[_Sprocket_]

You must LOVE the old joke:

patient: Doctor, it hurts when I do this.
doctor: Well then, don't do that!

Re:Fixability

[b0bd0bbs]

AFAIK you can still allocate ring 3 descriptors via windows DPMI calls, change them to ring 0 descriptors via an LDT mapping (which is legal in pmode the way windows sets things up), then execute any code in your program as ring 0. Woohoo. That *feature* has been around for at least 6 years.

Is this the Allchin bug?

[Old time hacker]

Do you think that this problem is the one that Jim Allchin described as dangerous to national security [eweek.com]?

If it is, then it seems a bit dishonest for the microsoft message [tombom.co.uk] author (Dave at the Security Response Center) to say that they don't consider it to be a bug.

If it isn't, then there must be another problem which is even more serious. Oh dear!

Re:the basic problem

[Anonymous Coward]

I understand HTML was not your original calling, so to speak.

Re: sprintf() _is_ safe.

[Antity]

You're wrong here. You absolutely can limit field sizes with sprintf().

char buf [8];
sprintf (buf, "%-.3sTEXT", "1234567890");

And I forgot: You can even specify dynamic field sizes using the '*' character:

sprintf (buf, "%-.*sTEXT", sizeof(buf)-(sizeof("TEXT")-1)-1, textofunknownlen);

Good to know and good to use, IMHO.

Re:Virus in his code

[Clowning]

"I wouldn't recommend running it on a production machine hooked up to anything..."

Do you mean Windows or the exploit?

Re:How do you rescind acceptance of the EULA?

[Bingo Foo]

Or if Microsoft has somewhere noted your initial agreement, is it in perpetuity? Does Microsoft permanently own that box?

Here is where many people get confused by legal definitions and concepts of property, contracts, and so forth. Allow me to attempt to clear this up: Microsoft does not "own" your box. In legal parlance, Microsoft "0wnz j00!!!!!"

Re:Physical access

[Anonymous Coward]

Hah! I desoldered those jumpers, try and hax0r me know.. hey! where are you going with that hardrive, bring that back!

Re:Just so you know... AFAIK

[dimator]

And THANK YOU very much for linking to e2. I'll be clicking around there for a good 2 hours now, thanks for killing my productivity.

Re:Don't Do That

[Anonymous Coward]

Well, GNU is an (incomplete) operating system, but it's owned by the Free Software Foundation, whose address is:

Free Software Foundation
59 Temple Place - Suite 330
Boston, MA 02111-1307, USA

Any other questions?

Re:Executing untrusted code

[Enigma2175]

You forgot

3) Profit

It had to be said...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:High opinion

[stor]

Heh, I can't help imitating C3POs voice when reading that.

Cheers
Stor

Re:Nice try

[Alsee]

Shouldn't that read Recognition! Fame! Fortune! Coverage! Beer! ?

I fail to see how post some techie-sounding text related to some vague problem with Windows is supposed to lead to girls :)

-