On Thu, Aug 08, 2002 at 01:22:46AM +0000, David Uhlman wrote:
> Though I am loathe to "defend" Microsoft if you read the bug track info
> http://online.securityfocus.com/archive/1/286228/2002-08-03/2002-08-09/1 you
> can see that this is more complex than just a typical MS bug/error and plays
> off the problem of supporting 10 years of legacy api code and insufficient
> vendor understanding of the damages possible via message queuing.
>
> It is not so much of a bug because a patch can't be applied to this, it is
> more of a "known issue" that vendors must be made aware of to avoid building
> programs that can be taken advantage of by this. A very limited parallel
> might be a Linux vendor building a program that runs inappropriate code as
> root so that privilege escalation is possible.
This would be true if not for the fact that Microsoft supplies several
programs (integral to the operation of windows) that can "be taken
advantage by this." The point of the original paper is that you cannot
build a usable windows desktop system without hitting this "known
issue".
This issue is a critical security problem if a Windows machine is used
by more than one person.
-Dale