{"@ID": "422", "@Name": "Unprotected Windows Messaging Channel ('Shatter')", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Draft", "Description": "The product does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "420", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "360", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Architecture and Design"}}, "Common_Consequences": {"Consequence": {"Scope": "Access Control", "Impact": ["Gain Privileges or Assume Identity", "Bypass Protection Mechanism"]}}, "Potential_Mitigations": {"Mitigation": {"Phase": "Architecture and Design", "Description": "Always verify and authenticate the source of the message."}}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2002-0971", "Description": "Bypass GUI and access restricted dialog box.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-0971"}, {"Reference": "CVE-2002-1230", "Description": "Gain privileges via Windows message.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1230"}, {"Reference": "CVE-2003-0350", "Description": "A control allows a change to a pointer for a callback function using Windows message.", "Link": "https://www.cve.org/CVERecord?id=CVE-2003-0350"}, {"Reference": "CVE-2003-0908", "Description": "Product launches Help functionality while running with raised privileges, allowing command execution using Windows message to access \"open file\" dialog.", "Link": "https://www.cve.org/CVERecord?id=CVE-2003-0908"}, {"Reference": "CVE-2004-0213", "Description": "Attacker uses Shatter attack to bypass GUI-enforced protection for CVE-2003-0908.", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-0213"}, {"Reference": "CVE-2004-0207", "Description": "User can call certain API functions to modify certain properties of privileged programs.", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-0207"}]}, "Affected_Resources": {"Affected_Resource": "System Process"}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "PLOVER", "Entry_Name": "Unprotected Windows Messaging Channel ('Shatter')"}, {"@Taxonomy_Name": "Software Fault Patterns", "Entry_ID": "SFP30", "Entry_Name": "Missing endpoint authentication"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-402"}, {"@External_Reference_ID": "REF-62", "@Section": "Chapter 2, \"Design Review.\" Page 34"}, {"@External_Reference_ID": "REF-62", "@Section": "Chapter 12, \"Shatter Attacks\", Page 694"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Notes": {"Note": [{"@Type": "Relationship", "#text": "Overlaps privilege errors and UI errors."}, {"@Type": "Research Gap", "xhtml:p": ["Possibly under-reported, probably under-studied. It is suspected that a number of publicized vulnerabilities that involve local privilege escalation on Windows systems may be related to Shatter attacks, but they are not labeled as such.", "Alternate channel attacks likely exist in other operating systems and messaging models, e.g. in privileged X Windows applications, but examples are not readily available."]}]}, "Content_History": {"Submission": {"Submission_Name": "PLOVER", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Potential_Mitigations, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Relationships, Other_Notes, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-10-14", "Modification_Version": "1.0.1", "Modification_ReleaseDate": "2008-10-14", "Modification_Comment": "updated Other_Notes, Relationship_Notes, Research_Gaps"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Applicable_Platforms, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Weakness_Ordinalities"}]}}
