Thursday, April 24, 2008

Critical vulnerability found in Windows

Microsoft is currently investigating a vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting major windows release from Windows XP Professional SP2 to Windows Server 2008.

This vulnerability was publicly reported and according to Microsoft's advisory "Specially crafted code running in the context of the NetworkService or LocalService accounts may gain access to resources in processes that are also running as NetworkService or LocalService". MSSQL and IIS will also be affected if they are configured to run code.

Successful exploitation allows execution of arbitrary code with LocalSystem privileges, but require the ability to run code in an authenticated context (such as using IIS running ASP.NET code and SQL Server having administrative privileges to load and run code).

So far (at the time of this entry) the suggested workaround from Microsoft is to configure a Worker Process Identity (WPI) for an application pool in IIS to use a created account in IIS Manager and disable MSDTC. For more detail, please see the Microsoft Advisory.

Just wondering whether we will see the patch ready on the coming "Black Tuesday" (Monthly Microsoft patch). Please join the poll on "How long should a patch be released after a critical vulnerability was announced?" on the right side of this blog.

Related Reports:
- Microsoft Security Advisory (951306), Vulnerability in Windows Could Allow Elevation of Privilege

- Microsoft Windows SeImpersonatePrivilege Local Privilege Escalation Vulnerability (SecurityFocus)

No comments: