OSDN:  Our Network - Newsletters - Advertise - Shop   SEARCH:     
NewsForge - The Online Newspaper of Record for Linux and Open Source
The Online Newspaper of Record      
for Linux and Open Source
August 10th, 2002
   Corporate Voices       Home     Linux.Com     Reports     NewsVac      
 
 
  Microsoft denies Win32 API 'flaw'  
Thursday August 08, 2002 - [ 03:19 PM GMT ]   Print this Article
Topic - Security
 PDAJames writes" "A couple of days ago, Chris Paget published a whitepaper showing how you could exploit a 'feature' of the Win32 API to elevate user priveleges. Paget thinks this is a major fault with the API, but Microsoft doesn't even acknowledge that it's a vulnerability, according to this story (at ZDNet UK). Is Microsoft right for once, or is it just more 'security through obscurity'?"

( Post a new comment )

what a surprise...      (#21959)
by Anonymous Reader on 2002.08.08 10:57

MS denies yet another security flaw in Windows.

Should we be surprised, no! They will admit it only when they release a patch for it in the next SP's for 2000 and XP(if they do anything about it at all).

Hell on Windows XP as a regular GUEST I can kill the system by deleting some important files, mind you a guest is not supposed to be able to do this.
[ Reply to This | Parent ]

Viruses?      (#21960)
by Anonymous Reader on 2002.08.08 11:04

Would this technique make Outlook-spread viruses more capable?
[ Reply to This | Parent ]

If I still ran WinXP...      (#21962)
by OddFox on 2002.08.08 11:14   | User Info |

I'd like to see ANYONE try and get me to be a dumbass and run arbitrary code. "It'll make your downloads go faster, more pr0n!"
[ Reply to This | Parent ]

It's a real problem...      (#21964)
by fitzix on 2002.08.08 11:22   | User Info |

I saw Paget's original posting on bugtraq. The first thing that I thought was "I had heard rumors of this in the past..."

And I had. It turns out that Windows' permission system is less than paper thin. Applications can be given greater than normal permissions through unchecked methods and thus become backdoors. I mean, this isn't even a minimal issue, like a buffer overflow. It's even worse. Becuase the queue is unchecked - and programs are routinely written that use this - you can't just "fix" this with a patch and it's not in a single isolated spot.

This is a MAJOR design flaw in the windows architecture.

And of course they're going to deny it... To admit it would be like admitting that they don't care about system design... which means that any serious customer that relies on them has been getting duped...

Of course, we already knew that this was true. But, this design flaw only proves the point.
[ Reply to This | Parent ]

Well ...      (#21965)
by Rocky on 2002.08.08 11:23   | User Info | Home Page |

It would seem easy enough for a savvy individual to verify. I'm not a Windows programmer (thankfully) so I don't have the tools to even try it out but surely somebody out there does.... prove them right or wrong so we can quit speculating.... 8-)
[ Reply to This | Parent ]

What do you expect from Microsoft?      (#21966)
by OwlWhacker on 2002.08.08 11:28   | User Info |

Paget appears to think he's worthy of worship and adoration, and unfortunately comes across as a major dork... but he's right in stating that this is a Microsoft flaw. It's all down to sloppy coding again.
[ Reply to This | Parent ]

Libraries, schools, goverment offices,.....      (#21968)
by Anonymous Reader on 2002.08.08 11:39

To prevent hacking we should prohibit the use of MSwindows computers at libraries and schools. Here is an example of total physical access.
[ Reply to This | Parent ]

And will prosecute anybody under the DMCA...      (#21981)
by Anonymous Reader on 2002.08.08 14:01

Who tries to demonstrate it.

Oh Bill, what a tangled and ineffective web we weave.
[ Reply to This | Parent ]

Hack fest?      (#21983)
by Anonymous Reader on 2002.08.08 14:32

Ebay runs on windows. Given the c/card and banking details they collect from their sellers I can't imagine a bigger target for this exploit. Is your data safe?
[ Reply to This | Parent ]

User Login

Username

Password
New User?
Lost Password?

Submissions
- News story
- Commentary

PriceCompare
Compare prices for a wide range of products.

Search

We want your story

Search Linux.com and NewsForge
  Choose section Enter keywords
    
  (Note: words under four characters are not indexed)
© Copyright 2002 - OSDN Open Source Development Network, All Rights Reserved
About NewsForge.com  •  About OSDN  •  Privacy Statement  •  Terms of Use  •  Advertise  •  Contact Us