Windows Flaw Prompts Security Advisory from Microsoft

Published: April 23, 2008

by Alex Woodie

Public reports of a newly discovered elevation of privilege vulnerability in Windows prompted Microsoft to issue a security advisory last week. Microsoft says customers running the IIS Web server and SQL Server database could be most at risk, and that it's working on a patch.

In Security Advisory 951306, Microsoft says the flaw could be exploited by running specially crafted code on affected machines running Windows XP Professional (but not XP Home Edition), and most editions of Windows Server 2003, Windows Vista, and Windows Server 2008.

Microsoft says the flaw can be exploited if malicious code in the context of the NetworkService or LocalService accounts gains access to resources in processes that are also running as NetworkService or LocalService.

IIS, SQL Server, and Windows Server 2003 are particularly at risk from the new vulnerability, the company says. Any company running user-supplied code on IIS or SQL Server could be at risk. Additionally, the Microsoft Distributed Transaction Coordinator (MSDTC) service provides another avenue for attack in Windows Server 2003; this vector is not a threat in Windows Server 2008 or Windows Vista, Microsoft says.

Microsoft says it's working to fix the problem, either through a service pack, the monthly Patch Tuesday security update process, or through an out-of-band patch.

In the meantime, Microsoft recommends users work around the problem by specifying a WPI (Worker Process Identity) for an application pool.

For more information, see www.microsoft.com/technet/security/advisory/951306.mspx.