[Am-info] MS Security flaw

[Eric M. Hopper]

On Thu, 2002-08-08 at 06:53, Eric M. Hopper wrote:
> On Thu, 2002-08-08 at 05:44, John J. Urbaniak wrote:
> > 
> > Is there any credibility to this?
> 
> I am not a Windows guru.  I've dealt some with the Windows API, but not
> really extensively.  But, from what I know, this article is true. 
> Certainly his broad description of the Windows event system is right on
> target, right down to the lack of authentication.

Also, his characterization of X is flawed.

In X, controls often are individual windows of their own, and not just
pictures.  In fact, the protocol gets really inefficient if you start
having the controls just be pictures.

But, X flags 'synthetic' messages, messages from applications, as just
that.  So it's pretty easy for a program to ignore synthetic messages. 
The model of a malicious application trying to control other
applications on the system was thought of by the designers of X.

OTOH, the X server is a complicated program that usually runs as root in
order to have unfettered access to the display device.  It's possible it
has buffer overflows and other problems that would allow a program to
gain control of the X server.

I know very little about how MacOS works, and whether or not it could
have this vulnerability.

Have fun (if at all possible),
-- 
The best we can hope for concerning the people at large is that they
be properly armed.  -- Alexander Hamilton
-- Eric Hopper (hopper@omnifarious.org 
http://www.omnifarious.org/~hopper) --