Microsoft Security Bulletin MS03-025: Flaw in Windows Message Handling through Utility Manager Could Enable Privilege Elevation (Q822679)

["Microsoft" <0_49878_04BF067D-4CF8-4245-B5C1-58573E5746A8_US () Newsletters Microsoft com>]

-----BEGIN PGP SIGNED MESSAGE-----


- - - ---------------------------------------------------------------
Title:      Flaw in Windows Message Handling through Utility 
            Manager Could Enable Privilege Elevation (822679)
Date:       09 July 2003
Software:   Microsoft(r) Windows (r) 2000
Impact:     Privilege Elevation
Max Risk:   Important
Bulletin:   MS03-025

Microsoft encourages customers to review the Security Bulletins 
at: 
http://www.microsoft.com/technet/security/bulletin/MS03-025.asp
http://www.microsoft.com/security/security_bulletins/ms03-025.asp
- - - ---------------------------------------------------------------

Issue:
======

Microsoft Windows 2000 contains support for Accessibility options 
within the operating system. Accessibility support is a series of 
assistive technologies within Windows that allow users with 
disabilities to still be able to access the functions of the 
operating system. Accessibility support is enabled or disabled 
through shortcuts built into the operating system, or through the 
Accessibility Utility Manager. Utility Manager is an 
accessibility utility that allows users to check the status of 
accessibility programs (Microsoft Magnifier, Narrator, On-Screen 
Keyboard) and to start or stop them.

There is a flaw in the way that Utility Manager handles Windows 
messages. Windows messages provide a way for interactive 
processes to react to user events (for example, keystrokes or 
mouse movements) and communicate with other interactive 
processes. A security vulnerability results because the control 
that provides the list of accessibility options to the user does 
not properly validate Windows messages sent to it. It's possible 
for one process in the interactive desktop to use a specific 
Windows message to cause the Utility Manager process to execute a 
callback function at the address of its choice. Because the 
Utility Manager process runs at higher privileges than the first 
process, this would provide the first process with a way of 
exercising those higher privileges. 

By default, the Utility Manager contains controls that run in the 
interactive desktop with Local System privileges. As a result, an 
attacker who had the ability to log on to a system interactively 
could potentially run a program that could send a specially 
crafted Windows message upon the Utility Manager process, causing 
it to take any action the attacker specified. This would give the 
attacker complete control over the system. 

The attack cannot be exploited remotely, and the attacker would 
have to have the ability to interactively log on to the system.


Mitigating factors: 
====================

 - An attacker would need valid logon credentials to exploit the 
vulnerability. It could not be exploited remotely. 

 - Properly secured servers would be at little risk from this 
vulnerability. Standard best practices recommend only allowing 
trusted administrators to log on to such systems interactively; 
without such privileges, an attacker could not exploit the 
vulnerability. 

Risk Rating:
============
Important

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read 
the  Security Bulletins at
   
http://www.microsoft.com/technet/security/bulletin/ms03-025.asp
http://www.microsoft.com/security/security_bulletins/ms03-025.asp
   
   for information on obtaining this patch.


- - - ---------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT 
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING 
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS 
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, 
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL 
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN 
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT 
ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL 
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPwxYro0ZSRQxA/UrAQFbWAgAhRFnipuXGF6OFeGdCaL0on022zvBxb6L
ZsCsAWbd/FnE/DM4sFPu+Db26getwPnS8YacUANR+EfXZ3yN2P8MtV3B/3Od0WQg
+TrBnmFP2q29qs7wLBxq8o4JQIjxG9xpMtBjEPq7rO17exs0P1dlo0BhFv7Vfrib
4UuWWgZl0HEo00WLLNzqtWx8JEdrlkEG5SWG5UTS47xD2BtTAAnPTuZX9q5bCq11
Oec/31zfck8NR3BVpXBr0Dq3y2iHLmA+WjA/w7Njvk2xpnTFY4f3MLyVLb6r58kj
UNWyuhtAAEZYjCMCMHqW/J/tW752Q8uZ6FP3hM6Y73Iv+xbuLzBfYQ==
=w9ex
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification 
Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at 
http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at 
http://register.microsoft.com/regsys/pic.asp 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via 
email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at 
http://www.microsoft.com/security.