"shatter" vulnerability
Jonathan Morton
chromi "at" chromatix.demon.co.uk
Fri Aug 16 10:47:01 2002
>WM_TIMER induced shatter:
>
>One of the modes is the range of messages that we don't even get to see
>that could execute code as the user the UI runs as. Again, by divorcing
>the UI from the bits that actually need privs, the escalation
>possibility decrease.
Actually, the messages are *always* seen. Read the Slashdot
discussion. The problem is that M$' example code, and therefore
almost all real applications, hand off unhandled messages to a
default handler, which then does not do any sanity-checking of
pointers before executing them. Closing this hole is non-trivial,
but possible.
--
--------------------------------------------------------------
from: Jonathan "Chromatix" Morton
mail: chromi "at" chromatix.demon.co.uk
website: http://www.chromatix.uklinux.net/
geekcode: GCS$/E dpu(!) s:- a21 C+++ UL++ P L+++ E W+ N- o? K? w--- O-- M++$
V? PS PE- Y+ PGP++ t- 5- X- R !tv b++ DI+++ D G e+ h+ r++ y+(*)
tagline: The key to knowledge is not to rely on people to teach you it.