Reported December 11, 2002, by Microsoft.
· Microsoft Windows XP
· Microsoft Windows 2000
· Microsoft Windows NT 4.0, Terminal Server Edition
· Microsoft Windows NT 4.0
A vulnerability exists in Microsoft WM_TIMER Message Handling that can grant an attacker complete control over the vulnerable system. The vulnerability occurs because one process in the interactive desktop can use a WM_TIMER message to cause another process to execute a callback function at the address of its choice, even if the second process didn't set a timer. If the second process has higher privileges than the first, the first process has the ability to exercise those privileges. Because many processes run with LocalSystem security privileges, an attacker can gain access to the system under this security context.
Microsoft has released Security Bulletin MS02-071, "Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation (328310)," to address this vulnerability and recommends that affected users immediately apply the appropriate patch mentioned in the bulletin.
Discovered by Microsoft.