Microsoft Windows contains vulnerability in Window Management API

2004-10-13T00:00:00
ID VU:218526
Type cert
Reporter CERT
Modified 2004-10-13T00:00:00

Description

Overview

A vulnerability in the Microsoft Windows window application programming interfaces (APIs) could allow a local attacker to gain elevated privileges on a vulnerable system.

Description

Microsoft Windows contains a vulnerability in the window management application programming interface (API) functions. These functions are used to change various properties of a program window including the size and name of the window. Typically, an application should only be able to change the properties of another application running with the same level of privileges. There is a vulnerability in several of the Window Management API functions that could allow one application to modify the properties of another application that is running with a higher level of privileges.


Impact

A local, authenticated attacker could execute an application that modifies the properties of another application running at a higher level of privileges to gain complete control of the vulnerable system.


Solution

Apply Patch

Microsoft has provided a patch to address this vulnerability. For a list of affected versions and details on obtaining the patch, please refer to Microsoft Security Bulletin MS04-032.


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Microsoft Corporation| | -| 13 Oct 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://www.microsoft.com/technet/security/bulletin/MS04-032.mspx>
  • <http://securitytracker.com/alerts/2004/Oct/1011645.html>
  • <http://secunia.com/advisories/12804/>

Credit

This vulnerability was reported by Microsoft. Microsoft credits Brett Moore of Security-Assessment.com for discovering the vulnerability.

This document was written by Damon Morda and based on information provided by Microsoft.

Other Information

  • CVE IDs: CAN-2004-0207
  • Date Public: 12 Oct 2004
  • Date First Published: 13 Oct 2004
  • Date Last Updated: 13 Oct 2004
  • Severity Metric: 10.69
  • Document Revision: 15