Flaw or Not, Microsoft to Patch Services Problem | eWeek

Flaw or Not, Microsoft to Patch Services Problem

Écrit par
Dennis Fisher
Dennis Fisher
Sep 4, 2002
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Microsoft Corp. is working on patches for several services within Windows that run with inappropriately high privileges, making the operating system vulnerable to a sophisticated attack that could lead to a complete compromise of the machine.

The fixes in the works are meant to prevent interactive services on the Windows desktop from running with the same privileges as the most highly privileged service. By design, all of the interactive services are on an equal footing and can trade requests with other services on the desktop. This fact means that an attacker who was able to gain control of one of the services could then use it to elevate his privileges and possibly gain control of the system.

Chris Paget, a British security researcher, published a white paper in early August describing the situation, calling it an “unfixable” flaw in the Microsoft Win32 API. Security experts are divided over whether the problem actually constitutes a security vulnerability or is in fact simply a design problem. Although Microsoft and some members of the security and developer community had known about the issue previously, Pagets paper generated quite a lot of interest and concern, prompting the software makers response.

“This really is not a security model flaw because you can clearly implement a program not to be vulnerable to this. Higher privileged programs such as services running as system should not be taking input from lower privileged users without filtering it,” said Chris Wysopal, director of research and development at @stake Inc., a security consultancy and research firm in Cambridge, Mass. “Windows messages need to be thought of as untrusted input just like network traffic. I would consider this an application design error. I think that the controversy over this is because people cant agree to whether or not the OS should be protecting applications from malicious inter-process messages. Windows does not document that the system protects from this. It is up to the application developer.”

Either way, after a month of consideration, security officials at Microsoft, in Redmond, Wash., believe there is enough of an issue to warrant the production of several patches.

In a report posted on its TechNet Web site this week, Microsoft officials said they “found a small number of cases in which Microsoft-developed interactive services do run with inappropriately high privileges.” The company plans to release the patches shortly and is also looking at making some other changes to the Windows code that should make it more difficult to exploit this issue.

Related stories:

  • Microsoft Bolsters Passport Security
  • Microsoft Patches IE, Windows Holes
  • Microsoft Security Under Fire
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.