Microsoft does it again

[david at thekramers.net (David Kramer)]

On Tue, 6 Aug 2002, Bill Bogstad wrote:

> So a command line overflow exploit in a setuid-root ps binary on a
> UNIX machine is unimportant because you shouldn't ever let 'bad
> people' have a login on your machine?  I thought security was about
> being able to limit the resources that a user could access on a
> machine even when they had some level of legal access.  You seem to be
> advocating a security model of 'good' and 'bad' users where 'good
> users' can do anything and 'bad users' can do nothing.  Maybe you
> missed the part where this worked via terminal services as well.  You
> don't need physical access, apparently you only need the equivalent of
> a UNIX login.  I believe that any operating system vendor who claims
> that something isn't a security issue because you have to have some
> level of valid access to exploit it should be condemmed. PERIOD.

OK, I should have been more explicit.  When you have a bad person sitting 
in front of you WINDOWS computer, is what I meant.

And this was, at heart, not a buffer overflow exploit.  The security 
hole is any program being able to talk to any other window as if it were 
the operating system.  The buffer overflow was just one way he 
showed to invoke the exploit, the main one not even needing the complexity 
of a buffer overflow, just put a binary in memory somehow and pass
WM_TIMER to execute it.  No buffer overflow needed.


-------------------------------------------------------------------
DDDD   David Kramer                           http://thekramers.net
DK KD  
DKK D  Imagine an alternate history where William S. Burroughs was
DK KD  actually interested in mainframe hardware design.
DDDD                                                     Bob Bruhin