#21
A kozismertek: Microsoft Windows Certificate Chain vulnerability
Microsoft Windows is flawed in the way it trusts certificates. Microsoft Windows File Protection will automatically trust software that has been digitally signed with certificates rooted in any of the Trusted Root Certification Authorities.
This can be abused by malicious persons to sign any maliciously designed code and install it on systems without alerting the user, because Windows "trusts" root certificates even if they should only be used for signing SSL certificates and not signing code. This could be done anonymously by using:
http://www.freessl.com/
Also Windows is designed to trust every version of previously published code from .CAT files, this allows malicious persons to replace new code with old buggy and vulnerable code.
This problem exists even if you have applied MS02-050 to prevent ID spoofing with digital signatures.
Windows 2000/XP PostMessage Password Disclosure
An information disclosure vulnerability has been identified in Windows 2000 and Windows XP, which can be exploited by a malicious, local user to gain knowledge of sensitive information.
The vulnerability is caused by an access control error in the Windows API, which allows a program using the PostMessage function to send EM_SETPASSWORDCHAR messages to the message queue of dialog boxes owned by other processes. This can be exploited to disclose masked passwords by constructing a password revealing program.
This kind of programs have previously been known for other versions of Windows, but have not existed for Windows 2000/XP, since the SendMessage function exploited in these programs was secured in Windows 2000/XP.
#21