QwikSec

Security Database

CVE

CWE

Training

CWE Database
/

CWE-422

Back to CWE list

CWE-422

Unprotected Windows Messaging Channel ('Shatter')

Variant
Draft

Description

The product does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product.

Common Consequences

Scope

Access Control

Impact

Gain Privileges or Assume Identity, Bypass Protection Mechanism

Potential Mitigations

Architecture and Design

Always verify and authenticate the source of the message.

CVE-2002-0971

Bypass GUI and access restricted dialog box.

CVE-2002-1230

Gain privileges via Windows message.

CVE-2003-0350

A control allows a change to a pointer for a callback function using Windows message.

CVE-2003-0908

Product launches Help functionality while running with raised privileges, allowing command execution using Windows message to access "open file" dialog.

CVE-2004-0213

Attacker uses Shatter attack to bypass GUI-enforced protection for CVE-2003-0908.

CVE-2004-0207

User can call certain API functions to modify certain properties of privileged programs.

Applicable Platforms

Not Language-Specific

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now
CWE-422: Unprotected Windows Messaging Channel ('Shatter') | QwikSec