MS02-071, shatter?

From: Greg Riedesel (greg.riedesel@CI.STPAUL.MN.US)
Date: 12/12/02

  • Next message: GreyMagic Software: "Re: IE allows universal Cross Site Scripting (TL#002)" 
    Date:         Thu, 12 Dec 2002 08:34:35 -0600
From: Greg Riedesel <greg.riedesel@CI.STPAUL.MN.US>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    If I don't miss my guess, it looks like MS02-071 fixes the vulnerability
    that "shatter" uses to gain priv escalation. I do recall a lot of back
    and forth about whether or not this was easilly fixable in Windows, as
    the problem area (WM_TIMER) is used by pretty much every Windows
    application. Programs like VirusScan from McAfee do put a window on the
    desktop that has system privs, and shatter was used to escalate the
    logged in user to a higher level of priv.

    Once that level of access is achived, it is a lot easier to capture key
    domain credentials. Though such attacks are still somewhat technically
    complex.

    I do remember that the consensus was that fixing this problem would
    require a fundamental re-engineering on how Windows works, and that a
    true fix would be a long time coming as a result. So now we have this
    patch from Microsoft. Have they actually fixed the problem? So
    quickly?

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Demonstrate your knowledge and understanding of core IT Security, become
    TICSA certified.

    Are you responsible for IT security in job function, but not necessarily
    in title? Do you want to prove your IT security knowledge and increase
    opportunities? Interested? Visit;

    http://www.trusecure.com/solutions/certifications/ticsa/

    for more information.
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo