The product does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product.
View on MITREAlways verify and authenticate the source of the message.
No detection method information available for this CWE.
A control allows a change to a pointer for a callback function using Windows message.
View DetailsProduct launches Help functionality while running with raised privileges, allowing command execution using Windows message to access "open file" dialog.
View DetailsAttacker uses Shatter attack to bypass GUI-enforced protection for CVE-2003-0908.
View DetailsUser can call certain API functions to modify certain properties of privileged programs.
View DetailsCWE-422: Unprotected Windows Messaging Channel ('Shatter') is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product.
If exploited, CWE-422 (Unprotected Windows Messaging Channel ('Shatter')) it can compromise Access Control, leading to outcomes such as Gain Privileges or Assume Identity and Bypass Protection Mechanism.
Recommended mitigations for CWE-422 include: Always verify and authenticate the source of the message.
CWE-422 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-422, including CVE-2002-0971, CVE-2002-1230, CVE-2003-0350, CVE-2003-0908 and CVE-2004-0213. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-422 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.