search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Windows contains vulnerability in Window Management API

Vulnerability Note VU#218526

Original Release Date: 2004-10-13 | Last Revised: 2004-10-13


A vulnerability in the Microsoft Windows window application programming interfaces (APIs) could allow a local attacker to gain elevated privileges on a vulnerable system.


Microsoft Windows contains a vulnerability in the window management application programming interface (API) functions. These functions are used to change various properties of a program window including the size and name of the window. Typically, an application should only be able to change the properties of another application running with the same level of privileges. There is a vulnerability in several of the Window Management API functions that could allow one application to modify the properties of another application that is running with a higher level of privileges.


A local, authenticated attacker could execute an application that modifies the properties of another application running at a higher level of privileges to gain complete control of the vulnerable system.


Apply Patch

Microsoft has provided a patch to address this vulnerability. For a list of affected versions and details on obtaining the patch, please refer to Microsoft Security Bulletin MS04-032.

Vendor Information


Microsoft Corporation Affected

Updated:  October 13, 2004



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


Please refer to Microsoft Security Bulletin MS04-032.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



This vulnerability was reported by Microsoft. Microsoft credits Brett Moore of for discovering the vulnerability.

This document was written by Damon Morda and based on information provided by Microsoft.

Other Information

CVE IDs: CVE-2004-0207
Severity Metric: 10.69
Date Public: 2004-10-12
Date First Published: 2004-10-13
Date Last Updated: 2004-10-13 17:41 UTC
Document Revision: 15

Sponsored by CISA.