Re: Re[2]: W2k: Unkillable Applications

From: Bronek Kozicki (brokat_private)
Date: Wed Jul 18 2001 - 04:05:51 PDT

Next message: Lars Troen: "RE: Firewall-1 Information leak"

Previous message: Carlo Strozzi: "Re: multiple vulnerabilities in un-cgi"
In reply to: Phaedrus: "Re[2]: W2k: Unkillable Applications"
Next in thread: Alun Jones: "Re: W2k: Unkillable Applications"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> It appears that the Processes tab is doing a simple filename-based
> search, and the Applications tab isn't doing any search at all.
> (After all, the 'critical system processes' like Winlogon would never
> show up in the Applications tab in the first place, since they don't
> have top-level windows associated with them.)

Little mistake here. Winlogon _has_ top-level window, its just invisible.
You may make it easilly visible with tools like showin.exe (you will find
more such windows, most are in Explorer process). See Microsoft 01-007
security bulletin, how this can be exploited.

> At the very, very least, the Task Manager should be making this check
based
> on the full pathname of the process, not just the filename; an
> application running in C:\TEMP is highly unlikely to be a critical
> system process...

Agree.

regards

B.

Next message: Lars Troen: "RE: Firewall-1 Information leak"
Previous message: Carlo Strozzi: "Re: multiple vulnerabilities in un-cgi"
In reply to: Phaedrus: "Re[2]: W2k: Unkillable Applications"
Next in thread: Alun Jones: "Re: W2k: Unkillable Applications"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 07:42:34 PDT