Window Shattering seems to be an instance of this problem. I learned about this problem thru this interesting note. Microsoft’s reply (look for “5 Aug 2002”) seems to be to the effect that any conceivable architecture would have this property and it is thus not a security problem. They “recommended against interactive services” which in this context means that a program with great authority should not interact with the user. What about the program I use to sign documents? Am I not to see the documents I sign? They go on to say “It is the implementer of a program that decides what messages to handle and how to handle them.”. Indeed, but such programs need to know the origin of the request. A person in charge of an ICBM needs to know the origin of a launch command. The SSN of the person composing the request is not suitable for this.

The precursor to the problem is described in this note but in terms of much Windows programming jargon. Here I guess a few things about Windows. (A bit of Hermeneutics). Please correct me if I am wrong (norm at cap-lore dot com).