Here's an interesting article on a security vulnerability (privilege escalation exploit) in Microsoft Windows (all versions that use the Win32 API).
The ability to send messages between windows in different processes is something I was familiar with, but I hadn't given much thought to the security exploit implications of it (although I was well aware of memory protection issues, etc, given I'd played around some code like this when I was learning the Win32 API). I had been viewing it as a feature that allowed a program to communicate with other windows. In fact, some fairly handy tools probably use this feature (like WinRunner).
I found this section interesting, though:
This research was sparked by comments made by Microsoft VP Jim Allchin who stated, under oath, that there were flaws in Windows so great that they would threaten national security if the Windows source code were to be disclosed. He mentioned Message Queueing, and immediately regretted it. However, given the quantity of research currently taking place around the world after Mr Allchin's comments, it is about time the white hat community saw what is actually possible.
At the time Allchin made those comments, I thought that they were a desperate ploy to avoid opening up the Windows source code. I also thought that it was pretty arrogant to assume that Windows is that important. But then I thought about the fact that NT (3.5 and 4.0) is C2 certified, so I just let it pass.
The exploit requires the ability for a user to run arbitrary code. But that's not as difficult as one might think, and it's a privilege escalation exploit, so it could allow a guest user to gain system access.
Some more discussion on the topic from slashdot: Shattering Windows
Posted by Aubrey at August 30, 2002 04:26 PM