A UK web site has posted what it claims is an analysis of the Windows 32 API and claims that there are inherent flaws which Microsoft knows all about, which are unfixable, but which the software giant is refusing to address.
The report follows Jim Allchin's statement under oath that some problems in Windows are so great that if the code were released, national security would be threatened.
The web page claims to give details of exactly how to exploit this type of flaw, and the author gives an example of how to elevate privileges.
He has written a sample application which he calls "Shatter" which he claims will allow hackers to elevate privileges.
But the author of the page says he has emailed Microsoft and told them how Windows code can be exploited.
He also says that Microsoft does not classify this type of attack as vulnerabilities. That, he adds, is just not true, and the Win32 API cannot be changed.
He has sent an email to several people and organisations, including Security Focus, to outline his findings.
While he says these kind of vulnerabilities have been discussed before, he says his is the first documented way to exploit the problem, which is not a bug, and which he says affects every Windows software package on the planet.
News source: The Inquirer - Windows can be "shattered", but MS not listening
View: Exploiting design flaws in the Win32 API for privilege escalation
-1 Comments - Add comment