Huge flaw in Win32 API?
A paper that describes what could be a huge vulnerability in Microsoft's Win32 API is becoming quite the topic of conversation today. The paper blames Microsoft for the vulnerability, but some skeptics have claimed that the vulnerability is more the fault of application developers.
This class of attack is not new, it has been discussed before. While you
can assert that the blame lies with Microsoft (and I'll admit they do
have some responsibility to address the problem you describe) the chief
blame lies with the vendor of the software whose bad programming you are
exploiting. There is no excuse to put a window for a process with the
LocalSystem security context on a user's desktop. I am not aware of any
Microsoft application that makes such a mistake.
However, the paper in question does point out some specific instances where Microsoft appears to be making just such a mistake:
Either way, Microsoft break their own rules; there's numerous windows on a standard desktop that run as localsystem. Use my shatter tool to verify this - there's a whole load of unnamed windows which might be running as Localsystem, and a few invisible windows (like the DDE server) that definitely are.
We'll certainly be keeping an eye on how this story develops and let you know how it all pans out.