News from PANUG

News from PANUG/BizNix - August 15, 2002
http://panug.org - http://biznix.org


MEETING TONIGHT
PANUG's monthly meeting is tonight at 6:15 pm. Directions
are on PANUG's web site. Click on the MEETINGS link.


SECURITY FLAW IN WINDOWS OR NOT?
by Ed Sawicki - Accelerated Learning Center / Tailored Computers

SANS included this item in their broadcast yesterday:

 Researcher Claims Win32 Messaging System is Irreparably Flawed

 Chris Paget says there is an irreparable hole in Win32. Any
 application can send a message to any window on the same
 desktop regardless of whether or not the window is owned by
 the application, and there is no authentication mechanism to
 prevent this from happening. Paget has published a white
 paper describing a "shatter attack" which allows an attacker
 to gain control of a system by elevating his or her
 privileges. Microsoft says this does not fit their
 criteria/definition of a security vulnerability.

 http://www.theregus.com/content/55/25883.html
 http://zdnet.com.com/2100-1105-948931.html

 [Editor's Note (Murray): The messaging system works as
 documented. What Paget proposes to exploit is a documented
 feature. One of the things that makes it "irreparable" is that
 it is widely used in ways that do not compensate for its
 fundamental vulnerability. What Paget describes is an attack
 that might permit an otherwise unprivileged, but identified
 and authenticated, user in a multi-user system to assume the
 privileges and identity of another more privileged user.
 However, such a user is not an arbitrary "attacker" as our
 abstract might be read to say. And the Messaging System is
 not one between users but one between operating system
 objects.]

All parties are correct here but, in my view, Chris Paget
is the most correct. I'm a little surprised that Murray
tries to minimize the problem. If you're having trouble
understanding the implications of the technical aspects
of this issue, I can simplify it. The vulnerability suggests
that a WIN32 platform is one that shouldn't be used when
programs or services must have high assurance that they
can't be attacked by other programs running in the same
computer. See the comparison Chris makes between WIN32 and
X Windows for added perspective.

Given that most Microsoft services, such as IIS, Exchange,
SQL Server, etc. have had serious security issues, (which
may be unrelated to this vulnerability but there's a
boatload of vulnerabilities left to discover in their
closed source) here are two rules that make sense:

DON'T USE WINDOWS FOR SERVERS if you run more than one
program or service on a single computer.

If you must use Windows for your servers, PUT IMPORTANT
SERVICES ON SEPARATE COMPUTERS.

Of course, the obvious third rule is to replace your
Windows servers with a more secure OS, like Linux,
FreeBSD, NetWare, Solaris, etc. If you have serious
security requirements, consider SELinux from the NSA.

As for desktop computers, this vulnerability is just
another in a sea of more serious Windows security issues.
You can easily ignore it. Windows desktops will never be
secure. Deal with it.