Win32 API utterly and irreprarable broken

Dr. G plug-discuss@lists.plug.phoenix.az.us
Thu, 8 Aug 2002 07:03:03 -0700 

" This issue is a critical security problem if a Windows machine is used by
more than one person."

Which gets to the root of alot of peoples problems with security
vulnerabilities (NOT just in Windows I've seen). Bad passwords/naieve trust
of thier fellow man.

Worst : Not updating with Patches. Even linux has patches, so...
Bad: Bad passwords/naieve trusting users
Annoying: Stupid users that open eveything they can just because "Hey, if I
got it, it need to be opened without any pre-thought!"

There is a reason why different user security levels were invented for
Windows and Linux. Restricting Security Is Good.

Other then that, if your running a program on your PC someone else made that
you don't 100% trust, your gambling, no matter if it's windows or linux.

We need intelligent computer users...

So, essentially we're screwed...(glass 3/4 empty!)


----- Original Message -----
From: "Dale Farnsworth" <dale@farnsworth.org>
To: <plug-discuss@lists.plug.phoenix.az.us>
Sent: Thursday, August 08, 2002 6:45 AM
Subject: Re: Win32 API utterly and irreprarable broken


> On Thu, Aug 08, 2002 at 01:22:46AM +0000, David Uhlman wrote:
> > Though I am loathe to "defend" Microsoft if you read the bug track info
> > http://online.securityfocus.com/archive/1/286228/2002-08-03/2002-08-09/1
you
> > can see that this is more complex than just a typical MS bug/error and
plays
> > off the problem of supporting 10 years of legacy api code and
insufficient
> > vendor understanding of the damages possible via message queuing.
> >
> > It is not so much of a bug because a patch can't be applied to this, it
is
> > more of a "known issue" that vendors must be made aware of to avoid
building
> > programs that can be taken advantage of by this. A very limited parallel
> > might be a Linux vendor building a program that runs inappropriate code
as
> > root so that privilege escalation is possible.
>
> This would be true if not for the fact that Microsoft supplies several
> programs (integral to the operation of windows) that can "be taken
> advantage by this."  The point of the original paper is that you cannot
> build a usable windows desktop system without hitting this "known
> issue".
>
> This issue is a critical security problem if a Windows machine is used
> by more than one person.
>
> -Dale
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>