[26575] in bugtraq
Re: White paper: Exploiting the Win32 API.
daemon@ATHENA.MIT.EDU (Chris Calabrese)
Wed Aug 7 12:04:51 2002
Message-ID: <20020807133813.31892.qmail@web13304.mail.yahoo.com>
Date: Wed, 7 Aug 2002 06:38:13 -0700 (PDT)
From: Chris Calabrese <chris_calabrese@yahoo.com>
To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
So let me get this straight.
Allowing unpriveleged processes to send control messages to priveleged
processes is not a flaw in the Win32 API because there is a mechanism
for applications to protect themselves from this type of attack
(alternate Windows Stations/Desktops).
But the mechanism effectively prevents the priveleged processes from
providing a GUI because the user won't be able to actually see the
alternate Windows Stations/Desktops without some kind of Station
switching tool, and/or extra training in how to do this.
So, the result is that no applications actually use this mechanism.
What part of "this is broken" doesn't make sense?
__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com
