Microsoft is investigating reports of a new flaw in Windows Vista
and other versions of the operating system. Local users could
exploit it to boost their system privileges and run malicious
commands on the network.
Mike Reavey of the Microsoft Security Response Center (MSRC)
said in a
blog posting early Friday that the center is "closely
monitoring" developments surrounding a public posting of
proof-of-concept (PoC) code targeting an issue with the Windows
Client/Server Runtime Server Subsystem (CSRSS).
"The PoC reportedly allows for local elevation of privilege on
Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows
XP SP2 and Windows Vista operating systems," Reavey said. "Initial
indications are that in order for the attack to be successful, the
attacker must already have authenticated access to the target
system."
Redwood City, Calif.-based security vendor Determina said in an
advisory that the problem is in how CSRSS processes HardError
messages. "This vulnerability allows a logged-on user to execute
arbitrary code in the CSRSS.EXE process and elevate their
privileges to SYSTEM level," Determina said, adding that the flaw
was first disclosed Dec. 15.
Security researchers concluded that the vulnerability is
primarily a danger in the hands of a malicious insider and is not
remotely exploitable. For that reason, Danish vulnerability
clearinghouse Secunia rated the flaw
less critical, while the French
Security Incident Response Team (FrSIRT) rated it a moderate
risk.
FrSIRT said the specific Windows versions affected by the flaw
are:
- Vista Home
- Vista Business
- Vista Enterprise
- Windows 2000 Service Pack 4
- Windows XP Service Pack 2
- Windows XP Service Pack 1
- Windows Server 2003 Service Pack 1
To mitigate the threat, Secunia recommended that IT shops only
grant network access to trusted users.
Reavey said Vista users shouldn't be discouraged by the flaw.
"While I know this is a vulnerability that impacts Windows Vista, I
still have every confidence that Windows Vista is our most secure
platform to date," he said.