A short paper written on the subject
it provides you with the program you need to exploit the bug, as well as the instructions, which are easy enough for everyone here to follow. With it you can gain full priviledges from a guest account!
Apperantly this is unfixable right now and MS does not even consider it a flaw/bug.
it provides you with the program you need to exploit the bug, as well as the instructions, which are easy enough for everyone here to follow. With it you can gain full priviledges from a guest account!
Background - the Win32 messaging system
Applications within Windows are entirely controlled through the use of messages. When a key is pressed, a message is sent to the current active window which states that a key was pressed. When Windows decides that an application needs to redraw its client area, it send a message to the application. In fact, when any event takes place that an application needs to know about, it is sent a message. These messages are placed into a queue, and are processed in order by the application.
This is a very reliable mechanism for controlling applications. However, on Win32 the mechanism for controlling these messages is flawed. Any application on a given desktop can send a message to any window on the same desktop, regardless of whether or not that window is owned by the sending application, and regardless of whether the target application wants to receive those messages. There is no mechanism for authenticating the source of a message; a message sent from a malicious application is indistinguishable from a message sent by the Windows kernel. It is this lack of authentication that we will be exploiting, taking into consideration that these messages can be used to manipulate windows and the processes that own them.
Apperantly this is unfixable right now and MS does not even consider it a flaw/bug.