Shatter Attacks: Why Services under Windows should not use GUIs

This is an example for a so-called shatter attack. Window messages are used to redirect program execution to a previously prepared program location. (see Oliver Lavery, Win32 Message Vulnerability Redux - Shatter Attacks Remain a Threat)

Where is the security problem in this case? Do not focus exclusively on the window message mechanism. It is surely not perfect and MS has improved its safety already a bit (e.g. by comparing whether function pointers where actually registered by the receiver before). But the main problem is that a service runs as a SETUID (sorry: privileged) program with extended privileges under windows. And at the same time offers an interface for its manipulation which is extremely hard to protect against input validation problems. So we learn again that setuid programs are extremely critical and that they should use minimal interfaces, size and functions.

But besides setuid programs this weakness affects regular programs from other users as well.