Windows API 'flaw' sparks security debate

As Microsoft attempts to burnish its reputation for security, a security expert makes the case that Windows' architecture encourages insecure applications

A security researcher has stirred up a new controversy around the security of the Windows operating system, with claims that a flaw in the design of the Windows architecture has led to vulnerabilities in an unknown number of Windows applications.

On Tuesday, freelance security consultant Chris Paget published a whitepaper demonstrating what he calls a Shatter Attack, which allows a user to elevate his or her privileges and gain control of a system. The attack makes use of a flaw that Paget says may be found in many Windows applications, due to the way the Windows application programming interface (API), Win32, is designed.

The security of Windows APIs has come into the limelight recently because of Microsoft's antitrust case. Under the terms of a proposed settlement, Microsoft would be required to disclose the workings of previously secret APIs -- a process the company has already begun. However, Microsoft would reserve the right not to disclose APIs that are important for Windows security, in keeping with what the company's critics say is a strategy of "security through obscurity".

Paget argues that his research shows that far from obscurity providing the best security, the reverse strategy is more effective. "If people know about these problems, they can work around them," he said. "If they don't, they've got no choice but being vulnerable to them. It comes back to whether you think full disclosure is a good thing."

Paget's Shatter Attack relies on a mechanism called messaging that Windows uses for controlling applications, such as registering when a key has been pressed, for example. Windows' messaging, Paget argues, is flawed because an application can use messages to control any window on the same desktop, and these actions are not authenticated.

Messaging-based security risks have been discussed for some time, but Paget believes this is the first time such an attack has been demonstrated.

In Paget's demonstration, the attacker uses Network Associates VirusScan v4.5.1 running on Windows 2000 Professional. Since the application needs high access privileges, it runs at a security setting called LocalSystem. The attacker, logged in as guest, is able to fool the application into running a small piece of code with the higher LocalSystem privileges, and this code in turn elevates the user's privileges.

Escalating user privileges requires the presence of an application that itself uses high privileges, such as a virus scanner or personal firewall. The application must include a window that both uses those high privileges and interacts directly with the user, called running as an "interactive service", Paget noted.

It is impossible to estimate how common such applications are without investigating them individually, but "potentially any program that does something that requires high privileges on a system could be running as an interactive service", he said.

However, messaging-based attacks may not be limited to applications running as interactive services. For example, if a personal firewall allowed only Internet Explorer access to a company's network, the attacker could circumvent the firewall using IE in a way that would give him or her command line access to the network, Paget said.

"To be honest, every application that runs on Windows is likely to be vulnerable in some way or another," he said. "It's not just privilege-escalation attacks you can do through this."

In a statement issued to ZDNet UK in response to the whitepaper, Microsoft argued that these messaging exploits do not "meet Microsoft's definition of a security vulnerability".

"The proposed attack scenario assumes that the attacker has already been allowed to cross a security boundary or has access to a program using interactive services to LocalSystem," the statement said. Microsoft argued that the situation does not count as a threat because the attacker required "unrestricted physical access to your computer" to carry out the exploit.

Paget warned that it is unwise to downplay the significance of such exploits. He noted that the scenario only requires system access that is typical on corporate networks. The attack can also be carried out remotely from a client with access to Terminal Services, a way of providing a number of users such as telecommuters or call-centre workers access to certain functions on a centralised system. "You could take over the entire terminal server," he said.

Paget's whitepaper also touched off a debate on the Bugtraq mailing list for security professionals, with some arguing that the responsibility for such flaws lies with developers, and others agreeing with Paget that Microsoft has created an API that makes it easy to create vulnerable software.

One researcher said that regardless of who is to blame, exploits involving Windows messages could turn out to be a real problem. "Though there may be a way to prevent these vulnerabilities, the same could be said for, say, a buffer overflow, and yet they're found all over the place," he wrote.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.