Yet another Microsoft controversy is in the news this week. This controversy involves a so-called Windows Shatter Attack that is "unfixable" because the only reliable solution reportedly requires functionality that Windows doesn't have. Predictably, several news agencies have latched onto the story, foretelling the upcoming demise of Windows. But as Microsoft points out, for the Shatter Attack to do any damage, an intruder must gain access to a user's system. And, according to the company's Ten Immutable Laws of Security (see URL below), after this situation occurs, the user's system already has been exploited. Thus, Microsoft says, the Shatter Attack doesn't represent a Windows vulnerability but illustrates what can happen when users ignore basic security practices.
Programmer Chris Paget authored an online white paper that describes the Shatter Attack and other attack methods (see the second URL below). According to Paget, Microsoft Group Vice President Jim Allchin's comments during the company's antitrust trial inspired Paget's research. Allchin said that certain flaws in Windows were so serious that if the company revealed the Windows source code, information about the flaws would threaten national security. Allchin then mentioned the Windows message-queuing subsystem, and Paget got to work looking for flaws. The Shatter Attack is apparently one successful result of his research.
Microsoft's response to Paget's attack is credible, however. After noting that the Shatter Attack is just a new approach to an old issue that the company has known about for years, a Microsoft spokesperson told Paget in an email that his attack requires that a system be compromised before the attack can do any damage. "The attack you describe either requires \[users\] to run an attacker's program on their \[systems\] or the attacker needs to have access to the \[users' systems\]," the email reads. "In either case, the attacker has been allowed to cross a security boundary. In our essay, the 'Ten Immutable Laws of Security,' these are Law #1--'If a bad guy can persuade you to run his program on your computer, it's not your computer anymore,' and Law #3--'If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.'"
Obviously, the Shatter Attack isn't the real problem. The problem is the email virus that could deliver the attack or any other delivery vehicle that gives an attacker remote or physical access to a user's system. Thus, the details of the attack matter little.