ADMIN: (was Re: OT Operating System Design WAS R: [thelist] RE: blaster worm punishment)

Dean Mah dean.mah at
Thu Feb 3 08:32:09 CST 2005

Hello all,

I'd like to suggest that this thread be moved to thechat since it is
offtopic for thelist.  The original topic has had the sense to die out
and I'd like to see the same with this one or for it to move to
thechat.  Complaints can come directly to me or to
content at


On Thu, 03 Feb 2005 12:50:11 +0000, Keith Gaughan
<keith at> wrote:
> Ken Schaefer wrote:
> > : -----Original Message-----
> > : From: thelist-bounces at
> > [mailto:thelist-bounces at] On
> > : Behalf Of Keith Gaughan
> > : Subject: Re: OT Operating System Design WAS RE: [thelist] RE: blaster worm
> > : punishment
> > :
> > : > What exactly is "shoddy" about the design of the OS itself?
> > :
> > : Amongst other things, I'll just mention my two joint pet hates: the
> > : LocalSystem user, aka "uber-root", the WM_TIMER message. I'll say no
> > : more 'cause Google is your friend.
> >
> > Ah, a post that has just enough technical terms to be beyond a rant, but
> > vague enough that the poster can not be pinned down to the details of the
> > shoddiness that they purport to be showing us. :-)
> Aw, it's not that bad! And you proved it because you correctly
> identified the attack I was thinking of as the shatter attack.
> > Googling for either of those two, plus your name, doesn't return any hits,
> Why'd you google for my name with it?
> > Now, you could be referring to a security vulnerability that was patched back
> > in 2002.
> Oh, no it wasn't. MS put out a press release saying that it wasn't an
> issue seeing as you'd need at least guest access to the machine to do
> it. They never actually did anything about it.
> My point is that a trojan could still use this to elevate its
> privileges. Or, for that matter, a regular restricted user. All it takes
> is access to the machine and one bad app.
> > This vulnerability was the basis for so-called "shatter" attacks. An
> > attacker with local privileges could elevate those privileges *if* they
> > could, using WM_Timer messages, somehow send commands to a more privileged
> > program or service that happened to interact with the desktop. Application
> > layer software firewalls were a favourite target, because they failed to draw
> > desktop windows using the current user's credentials, but did so rather with
> > LocalSystem credentials (they typically installed themselves as services
> > running in that context). As mentioned, that was patched in 2002 (MS02-071).
> A patch that only applied to MS's own services. The underlying flaw
> still exists.
> > I'm not sure that shows "shoddy" OS design. When WM_Timer was added to the
> > Win32 API in the Windows NT 3.1 days (according to MSDN), no one probably
> > foresaw programs like software firewalls running in privileged mode and (for
> > reasons best known to the developers of such firewalls) that those programs
> > would draw windows on the desktop using LocalSystem as well.
> The shoddy design is that WM_TIMER requires the address of a callback
> function rather than a timer reference id. Dispatching to a callback
> function in response *should*, in a properly designed system, be done
> inside the application. It was a quick and lazy way of implementing it.
> K.
> --
> * * Please support the community that supports you.  * *
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to:
> Workers of the Web, evolt !

More information about the thelist mailing list