> -----Original Message----- > From: Rothe, Greg (G.A.) [mailto:grothe@ford.com] > Sent: Tuesday, August 27, 2002 10:00 AM > To: 'Paul Starzetz'; Andrey Kolishak; bugtraq@securityfocus.com > Subject: RE: White paper: Exploiting the Win32 API. > > > All of this brings up a couple of questions for me: > > 1. > As I understand it, all this can be avoided by applying the > simple, longtime standard maxim of "trust no input," correct? (If > correct, this leads me to murmur rhetorically "Have today's > developers no discipline?") > > 2. > If the above is incorrect, The above is NOT correct as several posters have already shown. Anytime a developer has an application running as system which is a rare need, they must realize the security ramifications of what they are doing. (That, if a flaw is found in their software, they will elevate the privileges of the user). http://www.atstake.com/research/advisories/2000/a090700-1.txt This is a well known need, even if this type of attack - and therefore prevention - is not well known. > and system messages such as event > notifications (onClick, etc.) can be compromised, then developers > using tools such as Visual Basic are essentially helpless to > harden their applications. Other than going back to writing in > assembly, what is the modern developer to do? > You generally will have very few types of applications on your system which require to run *as* system and can receive messages (Most that I can think of are actually security apps that are designed to restrict unprivileged users -- but maybe I am biased). While you can exploit other applications not running in a higher privilege space in this manner, this gains you nothing which you can not do with just running an binary as that user. > > We have here an exclusive or: Which is it - 1 or 2 or neither? > > Thanks, > > -Greg <snip>