Security expert breaks Windows

A UK security researcher has released a white paper that claims to identify inherent and unfixable flaws in the Windows operating system. But his research has been met with mixed reactions from his peers and Microsoft.

Chris Paget, who published the paper on his website, claims his work is the "first public example of a new class of attacks against the Win32 Application Programming Interface [API]".

The Win32 API has been in existence since the days of Windows NT3.1, back in July 1993.

Paget claims that the vulnerabilities highlighted in his research have been present since then. But they only came to light during the antitrust trial, when Microsoft vice president Jim Allchin stated under oath that there were flaws in Windows so great they could threaten national security if the Windows source code were to be disclosed.

Paget gives a working example, along with a tool he created called Shatter, on how to exploit the Windows messaging system to allow a local user to escalate their privileges.

"Microsoft cannot fix these vulnerabilities. These are inherent flaws in the design and operation of the Win32 API. This is not a bug that can be fixed with a patch," he said.

But other security watchers claim that this class of attack is not new and that, for once, the blame does not really lie with Microsoft. Instead, it is the fault of third-party software developers who allow their application window processes to run with LocalSystem privileges.

"There is no excuse to put a window for a process with the LocalSystem security context on a user's desktop," said John Howie of SecurityToolkit.com on the BugTraq security mailing list. "I am not aware of any Microsoft application that makes such a mistake," he added.

Florian Weimer of the University of Stuttgart said: "A bit of MSDN browsing revealed that Microsoft has already 'fixed' the vulnerabilities, despite the claim that this was impossible ... Maybe there are some flaws, but the overall design seems to be sound."

Indeed, Microsoft's response to Paget's work fails to recognise this as a vulnerability and passes the buck to the third-party developers.

"It is the implementer of a program that decides what messages to handle and how to handle them ... I would recommend that you contact the program's owner and let them know of your report. There may or may not be a vulnerability for them to address, but the program's owner should determine that," was the Redmond giant's response.

But Paget said: "The simple fact is that Microsoft know that they cannot fix these flaws ... Microsoft believe that the desktop is a security boundary, and that any window on it should be classed as untrusted ... Microsoft break their own rules; there are numerous windows on a standard desktop that run as LocalSystem. "Use my Shatter tool to verify this - there's a whole load of unnamed windows which might be running as LocalSystem, and a few invisible windows that definitely are. Security boundary my arse."