Flaw or Not, Microsoft to Patch Services Problem | eWeek

Flaw or Not, Microsoft to Patch Services Problem

Verfasst von
Dennis Fisher
Dennis Fisher
Sep 4, 2002
2 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

Microsoft Corp. is working on patches for several services within Windows that run with inappropriately high privileges, making the operating system vulnerable to a sophisticated attack that could lead to a complete compromise of the machine.

The fixes in the works are meant to prevent interactive services on the Windows desktop from running with the same privileges as the most highly privileged service. By design, all of the interactive services are on an equal footing and can trade requests with other services on the desktop. This fact means that an attacker who was able to gain control of one of the services could then use it to elevate his privileges and possibly gain control of the system.

Chris Paget, a British security researcher, published a white paper in early August describing the situation, calling it an “unfixable” flaw in the Microsoft Win32 API. Security experts are divided over whether the problem actually constitutes a security vulnerability or is in fact simply a design problem. Although Microsoft and some members of the security and developer community had known about the issue previously, Pagets paper generated quite a lot of interest and concern, prompting the software makers response.

“This really is not a security model flaw because you can clearly implement a program not to be vulnerable to this. Higher privileged programs such as services running as system should not be taking input from lower privileged users without filtering it,” said Chris Wysopal, director of research and development at @stake Inc., a security consultancy and research firm in Cambridge, Mass. “Windows messages need to be thought of as untrusted input just like network traffic. I would consider this an application design error. I think that the controversy over this is because people cant agree to whether or not the OS should be protecting applications from malicious inter-process messages. Windows does not document that the system protects from this. It is up to the application developer.”

Either way, after a month of consideration, security officials at Microsoft, in Redmond, Wash., believe there is enough of an issue to warrant the production of several patches.

In a report posted on its TechNet Web site this week, Microsoft officials said they “found a small number of cases in which Microsoft-developed interactive services do run with inappropriately high privileges.” The company plans to release the patches shortly and is also looking at making some other changes to the Windows code that should make it more difficult to exploit this issue.

Related stories:

  • Microsoft Bolsters Passport Security
  • Microsoft Patches IE, Windows Holes
  • Microsoft Security Under Fire
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.