Difference between revisions of "Trust of system event data"

Jump to: navigation, search
(Reverting to last version not containing links to www.texterletodela.com)
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[[ASDR Table of Contents]]
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]

Latest revision as of 13:30, 27 May 2009

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

Last revision (mm/dd/yy): 05/27/2009

Vulnerabilities Table of Contents


Security based on event locations are insecure and can be spoofed.


  • Authorization: If one trusts the system-event information and executes commands based on it, one could potentially take actions based on a spoofed identity.

Exposure period

  • Design through Implementation: Trusting unauthenticated information for authentication is a design flaw.


  • Languages: Any
  • Operating platforms: Any

Required resources




Likelihood of exploit


Events are a messaging system which may provide control data to programs listening for events. Events often do not have any type of authentication framework to allow them to be verified from a trusted source.

Any application, in Windows, on a given desktop can send a message to any window on the same desktop. There is no authentication framework for these messages. Therefore, any message can be used to manipulate any process on the desktop if the process does not check the validity and safeness of those messages.

Risk Factors



In Java:

public void actionPerformed(ActionEvent e) {
  if (e.getSource()==button) 
    System.out.println("print out secret information");

Related Attacks

Related Vulnerabilities

Related Controls

  • Control 1
  • Control 2
  • Design through Implementation: Never trust or rely any of the information in an Event for security.

Related Technical Impacts