In this week’s Tech Time Warp, we’re looking back at August 2002, when security researcher Kristin Paget published a whitepaper on the dangers of “shatter attacks,” and Microsoft had more than a few quibbles with it.
Paget described a flaw in the Windows operating system that allowed a user to self-elevate their own system privileges and take over a computer. The flaw was found in the actual “windows” or messaging through which a Windows user controls an application. Essentially, the programming security of these windows was all at the same level, so an attack could take place when one of these windows was used to communicate with a window from a higher-level program. This could fool the computer into thinking the user had elevated privileges—rendering application of the cybersecurity principle of least privileges, in which a user or application is only given access to the resources necessary to complete required tasks, moot. (The idea is that restricting access prevents unintended consequences.)
Microsoft pushed back. In a statement, the tech behemoth said the situation Paget described did not” meet Microsoft’s definition of a security vulnerability” and that for it to take place, a hacker already had to have “unrestricted physical access to your computer.” In the cybersecurity community, debate occurred as to whether developers or Microsoft were responsible for the vulnerability—but there was consensus that a risk did exist.
Despite its initial reaction, Microsoft released a patch in December 2002 to address the vulnerability Paget had described—and later hired Paget to work on the security of Windows Vista. Paget, who has also worked on security for Apple and Tesla, has been known to carry a business card with the moniker “Hacker Princess.”
Did you enjoy this installation of SmarterMSP’s Tech Time Warp? Check out others here.
Photo: mykhailo pavlenko / Shutterstock