Re: [Boston.pm] [getting OT] Controlling Windows with Perl?

Mon, 21 Mar 2005 19:03:51 -0800 

   From: Ben Tilly <[EMAIL PROTECTED]>
   Date: Mon, 21 Mar 2005 18:21:38 -0800

   And now that there is serious venture capital behind adware, some
   of the more difficult security exploits are getting hit hard.  For instance
   I've heard that that internal Windows messages have *no* security
   infrastructure.  Any application can send a message to any other
   application and there is no way for the recipient to figure out who the
   message is really from.  (To exploit you have to send the right
   message to the right application when it is expecting to see a
   message that can be confused with yours.)

That is correct.  It is apparently easy to subvert apps such as
antivirus that run as Administrator via their GUI, if they are foolish
enough to present a GUI on a less-privileged desktop.

   But if you're using IE as your trojan horse, and you already have
enough control over it to send messages to other app windows, then you
have full access to the privs of the IE user, so why bother?  Odds are
it's a home system, and you won't even have to get Administrator privs
in order to install adware, spyware, etc.

   A friend who supports a lot of small businesses is predicting that by
   the end of this year, Windows will essentially be unusable on the
   Internet.  This seems extreme to me, but I don't keep track of these
   things, he does, and he has pretty good insight into the industry.

It seems extreme to me, too, even if we were just talking about home
systems.  If I understand correctly, this window message thing is a
fundamental design flaw in the older Windows APIs, but there is current
technology that addresses the problem.  Unfortunately, it is less
convenient for users, so the trick will be to get vendors to switch to
using it.  But if it threatens to hit MS in their pocketbook, it will
happen.

   But then, I do my best to ignore Windows, and have been largely
successful at it, so I'm hardly an expert.

                                        -- Bob Rogers
                                           http://rgrjr.dyndns.org/
 
_______________________________________________
Boston-pm mailing list
[email protected]
http://mail.pm.org/mailman/listinfo/boston-pm

Reply via email to