Chris, I read your paper with interest. However, I must disagree with you in some respects. The Win32 API provides a concept called "Window Stations" which offer the fine grained access control you're looking for. By default, interactive applications run in the default Windows Station, "WinSta0", but you can create separate Windows Stations with appropriate DACLs. By default, only Administrators can enumerate non-default Windows stations, and only Administrators and the owner of a Windows Station can access (send messages to) the windows within the desktop of that Windows station. I see the exploits you posted not as a defect in the API, but rather as lack of care by the authors of certain interactive services, which run under different credentials in an accessible Windows Station. Everyone knows that interactive services are deprecated. They are security risks, for the reasons you lay out in your paper. Read chapter 5 of "Programming Windows Security" by Keith Brown. Microsoft's response is therefore largely correct -- just because a feature is there doesn't mean you have to use it. Yours, Chad Loder
