Chris,

I read your paper with interest. However, I must disagree
with you in some respects. The Win32 API provides a concept
called "Window Stations" which offer the fine grained access
control you're looking for. By default, interactive applications
run in the default Windows Station, "WinSta0", but you can
create separate Windows Stations with appropriate DACLs.

By default, only Administrators can enumerate non-default Windows
stations, and only Administrators and the owner of a Windows Station
can access (send messages to) the windows within the desktop of
that Windows station.

I see the exploits you posted not as a defect in the API, but rather
as lack of care by the authors of certain interactive services, which
run under different credentials in an accessible Windows Station.

Everyone knows that interactive services are deprecated. They are
security risks, for the reasons you lay out in your paper. Read
chapter 5 of "Programming Windows Security" by Keith Brown. Microsoft's
response is therefore largely correct -- just because a feature is
there doesn't mean you have to use it.

Yours,
        Chad Loder

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]