Shatter Attack tool demonstrates Windows vulnerability
In last Thursday's WinInfo Daily UPDATE, I wrote about an interesting Windows-based security problem (see first URL below), in which a UK-based programmer named Chris Paget alleges that the Win32 API that modern Windows versions use is broken. Paget details his claims in an intriguing white paper (see second URL below) that describes the problem, how easily someone can take advantage of it, and the various responses he's received from Microsoft. In some ways, Paget's interaction with Microsoft is the most interesting part of this story. Although I originally concluded that Microsoft had valid reasons for dismissing the seriousness of the vulnerability, I've since talked with the programmer and am no longer so sure. In fact, I find Microsoft's refusal to comment on this story very damning, especially in light of the so-called Trustworthy Computing initiative and the company's promise to be more open and responsive to security concerns.
In short, Paget claims that the Win32 messaging system, a core portion of Windows that determines the interaction among users, applications, and the OS, is flawed. To demonstrate this, the programmer has written a Shatter Attack tool that uses documented Win32 messaging functionality to usurp control of the system and gain elevated system privileges. Other programmers have since used this technique to perform similar feats.
Microsoft's response, which made sense to me at the time, was that Paget's methods required physical or remote access to the system first, in which case, the first tenet of the company's Ten Immutable Laws of Security (see third URL below) was violated, and the system was already insecure. As a Microsoft representative identified only as "Dave" wrote to Paget, "The attack you describe either requires \[users\] to run an attacker's program on their \[systems\] or the attacker needs to have access to the \[users' systems\]," the email reads. "In either case, the attacker has been allowed to cross a security boundary. In our essay, the 'Ten Immutable Laws of Security,' these are Law #1—'If a bad guy can persuade you to run his program on your computer, it's not your computer anymore,' and Law #3—'If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.'"
The problem, Paget told me, is that gaining access to a machine is fairly trivial. He gave me several logical examples of how this might happen, including public Internet cafes and libraries, and application service providers (ASPs) that supply remote access to Microsoft Office XP and other applications through Windows 2000 Server Terminal Services. By not admitting that the flaw is a flaw, Paget says, Microsoft is endangering users. And to give him proper credit, Paget handled this situation properly, notifying Microsoft continuously about the problems he found in the Win32 API.
"I've been interacting with Microsoft \[personnel\] every day, basically, keeping them up-to-date with what I've found," he told me. "I've given them the tools I've produced, and showed them all the new techniques. So far, they've not even acknowledged it as a vulnerability, although they say they are investigating it. But they're not working on a patch and are not even particularly concerned about it. That's what concerns me."
That's what concerns me too. I offered to hook up Paget with someone a little higher up than "Dave," who appears to be a fairly low-level program manager in the Microsoft's Security Response team. Microsoft delivered its response, however, with all the subtlety of a Cold War-era Soviet denouncement. Scott Culp, director of the Security Response team, was too busy to discuss this matter with me or Paget. Furthermore, the company had no comment about the problem or any desire to discuss the matter in any way. I was also told that a company representative (Dave, apparently) was already in contact with Paget and that no further contact would be necessary.
I found Microsoft's response to be more than off-putting, especially given today's security climate, the nature of the charges, and the politically correct manner in which Paget had released his information. And yes, I'm hoping that by publishing this bizarre response, I can goad the company into making good on its promises to keep its users safe and up-to-date. In the meantime, I'm left with the feeling that the kinder, gentler, more secure Microsoft was simply marketing doublespeak—and it's not a very good feeling.
Laptop of the Month: Gateway Solo 200
Continuing the highly portable theme I've been exploring all summer, this month's laptop is a wonderful 3-pound Gateway Solo 200 that sports the slice-style expansion that I prefer. Thus, the Solo 200 is highly portable but can be instantly upgraded with an optical drive, 3.5" floppy drive, and a slew of new ports by docking the laptop to a base that the company provides. With the dock installed, the total system weighs just over 5 pounds, although I don't recommend using the machine this way on battery power because the dock, inexplicably, doesn't include its own battery. However, by providing a two-piece system, Gateway lets you travel light and use the dock when you're home (or, you can pack the docking device in your luggage and bring it along, as I've done).
The Solo 200 features a 933MHz low-voltage Pentium III-M processor, which is standard fare in this class; a beautiful 12" XGA display; 256MB of RAM; an adequate 20GB hard disk; integrated video which, again, seems to be standard fare in the thin-and-light class; a touch pad; integrated wireless, Ethernet, and modem connections; and a standard battery that delivered about 2 hours of battery life, which is adequate though not exceptional. A higher capacity battery is also available, and although I didn't test it, it's an option I would consider.
As for ports, the Solo 200 features 2 USB, 1 FireWire/IEEE-1394, 1 PC Card slot, VGA out, parallel, serial, and PS/2 ports; the docking base adds two more USB ports (all four are accessible), a second FireWire, and second VGA out.
What sets the Solo 200 apart from similar laptops, however, is its styling. Rarely do people comment on the machine I'm using in an airport or plane (unless it's an Apple product, of course), but the Gateway drew impromptu discussions from fellow passengers impressed with its less-than-an-inch thickness and brushed-metal-looking body. It truly is a beautiful little machine.
Like last month's Fujitsu Lifebook S6010, however, the Solo 200 comes tantalizingly close to perfection, only to be picked apart in the details. I'd gladly trade the 3.5" floppy drive in the docking base for a second battery, for example, and I'm still no fan of integrated video. But the Solo 200 was an adequate performer overall, with excellent standard features, decent battery life, and amazing industrial design. Considering its excellent $2000 street price and light weight, I'd buy this machine for personal use in a heartbeat.