4. It's unfixable. Well, kinda. The problem, fundamentally, is the Win32 API (People are gonna disagree with that one, I know, but trust me - I'll shoot down those arguments in a few paragraphs), much like the root cause of buffer overflows is the way that functions like strcat() and sprintf() work in the standard C library. Since the Win32 API can't really be changed without breaking a LOT of stuff, people could (and will have to) be aware of these things and work around them. It's never going to go away though, much like buffer overflows are still commonplace after they've been VERY well known and VERY widely documented for years. The root problem cannot be fixed, but a lot of the symptoms can be if developers put in extra work. Personally, I believe that the blame should ultimately lie with Microsoft; they designed Windows so that it was easy to use, easy to code for, and (as a consequence) easy to break into. Disagree if you will, but you won't change my mind on that one.
I've been in two minds as to whether or not to release a lot of this information. But, I figured that a) most people regard local security on Windows as utterly shite anyway, b) a lot of this stuff was suggested by other people on the internet, so people are already thinking along similar lines, and c) I'm getting hacked off waiting for CERT and Microsoft to respond to my emails. The whole US-UK time difference means we exchange one email every 24 hours, at best. In the case of MS, that's 24 hours for them to stall for time by saying "Please give us more detail", and in the case of CERT that's 24 hours for them to say, well, nothing at all. So here it is - enjoy.
LocalSystem desktop windows on a default installation of Win2K
Yes, it's true. Microsoft break their own rules on this score. The general consensus from the readers of Bugtraq / NTBugtraq / Slashdot / god knows where else, as well as from Microsoft, is that if you place a window on the desktop as LocalSystem, you're begging for trouble. Well, I guess Microsoft must be begging for trouble - I've found two that are normally there, and a third you can create.
1 - NetDDE. Regular DDE runs within explorer.exe as whoever is logged on at the time, however the network flavour has a window on the desktop which is running within winlogon.exe. What's that you say? Winlogon is a critical system process? Why yes! Critical system processes having windows on the desktop is a really clever thing to do! Wonderful!
2 - "MM Notify Callback" Quite frankly, I don't actually have the faintest clue WHAT this window does. Quite frankly, I don't care either. What I do care about, is that it's owned by winlogon.exe. What's that you say? Winlogon is a critical system process? Why yes! More loveliness!
3 - Messenger service (discovered by Georgi Guninski). On a default installation of Win2K pro, drop to a command prompt and type "net send 127.0.0.1 hello". A neat little window pops up that says who the message was from, at what time, yadda yadda yadda. Unfortunately, that window is owned by the Client-Server Runtime Sub-System (great acronym), AKA csrss.exe. Guess what? It's another critical system process, with another localsystem window on the desktop.
No localsystem desktop windows? No problem!