I believe nothing new it that issue. WM_TIMER tricks were described by Matt Pietrek in 1997, in Microsoft's MSJ http://www.microsoft.com/msj/defaultframe.asp?page=/msj/0397/hood/hood0397.htm&nav=/msj/0397/newnav.htm (sample included) So it was noted already at least 5 years before Jim Allchin. There is also well known trick with SetWindowsHookEx function (exploit sample http://www.uinc.ru/scripts/load.cgi?articles/19/InjectDLL.zip by buLLet) and so forth. There is also article of Symeon Xenitellis "A New Avenue of Attack: Event-driven system vulnerabilities" http://www.isg.rhul.ac.uk/~simos/event_demo/ So it's strange that issue looks new for somebody, especially experts. Best regards, Andrey mailto:andr@sandy.ru CP> I have written a white paper documenting what I believe is the first CP> public example of a new class of attacks against the Win32 API. This CP> particular attack exploits major design flaws in the Win32 API in CP> order for a local user to escalate their privileges, either from the CP> console of a system or on a Terminal Services link. The paper is CP> available at http://security.tombom.co.uk/shatter.html CP> In order to pre-empt some of the inevitable storm about responsible CP> disclosure, let me point out the following. CP> 1) The Win32 API has been in existence since the days of Windows CP> NT3.1, back in July 1993. These vulnerabilities have been present CP> since then. CP> 2) Microsoft have known about these vulnerabilities for some time. CP> This research was sparked by comments by Jim Allchin talking under CP> oath at the Microsoft / DoJ trial some 3 months ago. CP> http://www.eweek.com/article2/0,3959,5264,00.asp Given the age of the CP> Win32 API, I would be highly surprised if they have not known about CP> these attacks for considerably longer. CP> 3) Microsoft cannot fix these vulnerabilities. These are inherent CP> flaws in the design and operation of the Win32 API. This is not a bug CP> that can be fixed with a patch. CP> 4) The white paper documents one example of these class of flaws. CP> They have been discussed before on Bugtraq, however to my knowledge CP> there have been no public working exploits. I have just documented CP> one way to get this thing working. CP> 5) This is not a bug. This is a new class of vulnerabilities, like a CP> buffer overflow attack or a format string attack. As such, there is CP> no specific vendor to inform, since it affects every software maker CP> who writes products for the Windows platform. A co-ordinated release CP> with every software vendor on the planet is impossible. CP> Chris
