If users can shut down the machine, it's not a security hole if they can shut down the machine


One great way to come up with a dubious security vulnerability is to take something completely innocuous and wrap it inside layer upon layer of obfuscation, and then you proclaim that the obfuscation is the vulnerability. Here’s an example based on an actual dubious vulnerability report:

Title: Native NT application can shut down computer

Description: I have written this native NT application which bypasses the Win32 layer and talks directly to the low-level native NT functions. By calling various native NT functions, I can cause a dialog box to appear which includes a Shut Down button that shuts down the computer if the user clicks on it.

Well, sure, you can go through all that to shut down the computer. Or you can save yourself all the hassle and just call ExitWindowsEx. You see, that dialog box you found includes a “Shut Down” button only if the user that ran it has permission to shut down the computer in the first place. It is not a security vulnerability that users with permission to shut down the computer can shut down the computer.

This is another example of people getting excited that they were able to do something unusual. But just because you can do something unusual doesn’t mean that you’ve found a security vulnerability.


Comments are closed. Login to edit/delete your existing comments