Windows API flaw sparks security row

NEWS By Matthew Broersma A security expert has sparked fresh controversy regarding the security of Microsoft's Windows operating system. Chris Paget, a freelance security researcher, has claimed a flaw in the design of the Windows architecture has led to vulnerabilities in an unknown number of Windows applications. Paget published a whitepaper demonstrating what he calls a 'Shatter Attack', which allows a user to elevate his or her privileges and gain control of a system. The attack makes use of a flaw that Paget says may be found in many Windows applications, due to the way the Windows application programming interface (API), Win32, is designed. The security of Windows APIs has come under the spotlight recently because of Microsoft's antitrust case. Under the terms of a proposed settlement, Microsoft would be required to disclose the workings of previously secret APIs - a process the company has already begun. However, Microsoft would reserve the right not to disclose APIs which are important for Windows security, in keeping with what the company's critics say is a strategy of "security through obscurity". Paget argues that his research shows that far from obscurity providing the best security, the reverse strategy is more effective. "If people know about these problems, they can work around them," he said. "If they don't, they've got no choice but being vulnerable to them. It comes back to whether you think full disclosure is a good thing." Click here to read more about the 'Shatter Attack': http://www.silicon.com/a55026 What do you think about this story. Does it highlight the need for more openness in the security field? Should Microsoft be more of a sharing, caring company. Register a reader comment below. Matthew Broersma writes for ZDNet UK