"Unfixable" flaw breaks Microsoft's Windows 18:05 07 August 02 NewScientist.com news service
An "unfixable" flaw that leaves your desktop PC open to serious abuse has been exploited in Microsoft's Windows operating system. The trick could be used by an attacker to discover your passwords, copy your files or even format your hard disk.
Chris Paget, a freelance computer security consultant based in London, revealed the exploit in a paper published on the net on Tuesday. He claims it is the first time this flaw in Windows has been exploited. Paget says he began the research after a Microsoft vice president Jim Allchin told a court in May that errors had been identified in Windows but should not be revealed for security reasons.
When a user logs on to a Windows machine, he or she is granted a certain level of privileges which governs which files you are allowed to access and what sort of operations you can perform on those files.
Paget, who goes by the hacker handle 'Foon', logged on to a system as a guest user - normally granted minimal privileges - and by exploiting the flaw managed to increase his privilege level to 'local system', the highest level possible. This gave him complete access to everything on the machine and potentially to other machines on the local network.
Message flow
He could then perform any operation on the local machine he liked, including formatting the hard disk, creating new users and hiding "keyboard sniffer" programs to capture passwords of people subsequently using the machine.
The flaw is part of the fundamental design of the Windows operating system. It is contained within the mechanism that controls the flow of messages between different windows on the desktop. This is called the Win32 API and has remained unchanged since 1993.
Critically, the Win32 API system does not authenticate the messages, so cannot distinguish messages from malicious or legitimate sources. This allowed Paget to select a window with the highest privileges and surreptitiously embed a malicious piece of code. When executed, the code would increase his user privileges to the maximum given to that window.
Special message
But how could he run that code? Paget also found that by sending a special message, called WM_TIMER, he could cause the window to run the piece of code he had previously embedded in the window's memory.
"This is the really stupid thing that Microsoft lets you do," he says. "The fact that you can cause a window to execute a random piece of code is the key to taking control of the machine."
Paget says the flaw can be partly overcome by third party software makers if they reprogram their software to work around the flaw. But he warns that this will by no means solve the problem. "It is still a fundamental flaw in Windows," he says, and fixing it would mean rewriting Windows core program and all the applications using it.
At the time of publication, Microsoft had made no comment.
David Cohen