RSSMicrosoft finds published exploit of Vista privilege elevation hole
By Scott M. Fulton, III | Published October 13, 2008, 11:25 AM
A less-than-critical Vista hole could become more critical, as Microsoft's security team says it's aware of a published exploit that could enable an ordinary process to pass itself off as a system process with unrestricted access.
Last April, Microsoft admitted to a serious, though perhaps not critical, security hole in all modern versions of Windows including XP and Vista. But a notice posted last Thursday to the company's Security Response Center blog, warning of a published exploit using that same technique, is an indication that the hole has gone unplugged all this time.
Tomorrow being "Patch Tuesday," Microsoft has advised admins to prepare for four "critical" and six "important" patches, and among that latter group are three related to elevation of privilege in Windows. That's all the general public is allowed to know for now, as Microsoft is now limiting the degree of information it shares prior to Patch Tuesday in an effort to thwart "zero-day" exploits. One of those patches could pertain to this particular exploit.
Microsoft made its original acknowledgement last spring after an independent researcher named Cesar Cerrudo gave a presentation in Dubai (PDF available here). There, Cerrudo demonstrated how a process Windows can obtain service-level privileges just by making any old API call that communicates with a service. In Windows, a service is a continually running program that provides functions to the operating system; there are typically dozens of services running in Windows at any one time. A technique with the unfortunate name of impersonation is legitimately used for that process to have the appearance of being qualified to communicate with that service.
Cerrudo showed how, in Windows XP, if the process can impersonate a service in order to talk with a service, it can trick the impersonation technique into giving it system-level privileges instead, which are the same as being completely unrestricted. He then demonstrated how Windows Vista implemented firewall techniques to prevent this from happening. Those prevention measures are largely successful, except in the case of so-called thread pool processes. For multithreaded applications, a single thread pool can be established for the legitimate purpose of performing certain functions on behalf of multiple threads, thus helping to make code tighter and more manageable. Vista's service-impersonation protection, Cerrudo showed, did not extend to thread pools.
The Microsoft security team's Bill Fisk said in a blog post Thursday he is unaware of any active attacks using the published exploit, adding, "Our investigation has shown that it does not affect customers who have applied the workarounds listed in the Advisory." Those workarounds for admins involve IIS 6.0 and IIS 7.0, and include setting up provisions for so-called worker process identities, which would conceivably prevent a remote process from being able to pass itself off as a local process, in order to start impersonating a service or system-level process later.
Shinier OS, same Windoze. Still full of security holes. Time to get a Mac. :)
Score: 0
|Yeah, Apple is on what their 5th set of patches since release?
Yup, definitely an expert in security there...
Score: 0
|Only toolie is paranoid that someone criticizes his messiah/obama-like OS. Get Linux and start laughing at these weekly "Windows Sucks!" articles.
Score: 0
|Thats pretty amusing considering, I make a career out of security of Linux and Windows systems. Linux and Windows both have pretty blazingly bad holes in them.
Score: 0
|Maybe, but as least Linux is still far more secure and stable in comparison.
Score: 0
|Well, Linux is a bit more secure, but more stable? I'm not so sure there. VISTA is pretty darn stable now. I'm not sure thats much of an issue anymore with either Linux or Win.
Score: 0
|Hahaha. He agreed with me, and then rightly questioned whether the hole is accessible with UAC enabled or not.
You should be trolling me, but you suck at working that out too.
Score: 0
|Heh...
This moron can't even make a post anymore without mentioning li'l ol' me.
What's particularly amusing, is that he seems to think I back Obama? Now ain't that the funniest damned thing you've read all week? (yeah, it is only Monday)...
Why should I switch? I get plenty of laughs from you, sjc001, and your numerous alts. Pity El Dingo fled the coop. He was actually rational on occasion...
Score: 0
|Of course, you provide *nothing* to actually back that up...as usual.
...and they call *me* a tool.
*laughs*
Score: 0
|What a retard you are. [rollseyes] Yes, you are also a tool.
Score: 0
|Do you know what paranoid means...? [smiles]
Old sToolie is such a retard as well.
Score: 0
|OMG!
Never have I seen such numbers and facts that show once and for all that everything you say is true.
Oh wait...
I knew I was dreaming the fact that you would post something relevant.
Score: 0
|He could back it up with the number of viruses and malware currently affecting the Linux platform as a whole...
Score: 0
|Stop terminalx, stop. You sound emotional and pathetic. Everybody and their mother knows Unix based OS's are FAR more secure and FAR less vulnerable to malware. Nobody needs to produce facts and stats that are as obvious as water in a rainstorm just to please a pair of Winblows fanboys like you and PC_Troll. Get over yourself and except the fact that Linux and Mac OS X will FOREVER be more secure than Winblows. :)
Score: 0
|Sure he could. But he *never* does.
..and when faced with *any* form of criticism, or argument, he turns into a petulant child.
See any of his posts in this thread for examples.
Score: 0
|*laughing*
The Apple fanboy of all fanboys accusing *others* of being fanboys.
Isn't that rich, folks?
Score: 0
|Yes, in fact. I am paranoid.
The belief that there are hundreds, possibly thousands of brainless incompetent morons like yourself out there scares the living Hell out of me.
But then I calm myself by browsing forums such as this and being shown time and again how thankfully irrelevant you all are.
Score: 0
|:) That's gotta hurt.
Score: 0
|:)
Is this the week of retribution?
Score: 0
|That didn't take long. As I had said before. UAC is worthless.
Score: 0
|Yes, but you were wrong before, just as you are now.
*yawn*
Score: 0
|As if anything you say actually matters, retard.
Score: 0
|*laughing*
Riiiight. You, the MSFT troll who posts nothing but snarky BS and the usual troll rhetoric, are now calling me names.
Amazing.
You can't be bothered to actually argue facts, or even attempt to back up your lame-ass comments, so you descend to calling anyone who disagrees with you (any *thinking* person) childish names.
...how cute.
Score: 0
|Did I hear someone breaking wind?
Score: 0
|Lol he says as if what he says matters.
Score: 0
|Oh how intelligent. Didn't really expect more though TBH.
Score: 0
|Childish? Check.
Infantile? Check.
Fart jokes? check.
Yep, that's sjc001 for ya. SSDD...
Score: 0
|Last April, Microsoft admitted to a serious, though perhaps not critical, security hole in all modern versions of Windows including XP and Vista.
With or without UAC enabled?
Score: 0
|So a process can assume root/admin priveleges and take over the machine and the exploit is not critical...
Gee, I'm glad this isn't serious!
I guess critical is when lots of folks have already been effectively frozen out of their machines or they have taken off on some other fascinating foray of their own.
That kinda puts the myriad number of 'critical' Windows updates into perspective. And renders most potential exploits on other platforms as anything but critical - as many are theoretical at best.
Its fascinating to see that the risk is not based upon the potential harm that can reasonably be committed, but simply upon how many machines have already been compromised!
LOL!
Score: 0
|Perhaps they have set rules for what is constituted critical and don't make exceptions.
Perhaps the process to go about taking advantage of this flaw is considered to be important and not critical.
At the end of the day it's being fixed, so cheer up you ol' bugger.
Score: 0
|you mean at the end of 5+ years? sounds lazy to me, admitting a serious flaw and then admitting to ignoring it for 5+ years... wtg ms
Score: 0
|Prioritise.
What's being attacked at the moment is more important to fix than that which isn't being attacked.
Sure, 5 years is longer than I'd have expected, but it's patched now. What's the gripe? No one got infected.
Score: 0
|Hey, they need *something* to b**** about....
Score: 0
|All you have is yourself.......
Score: 0
|It may surprise you, my faithful companion (just like a sad little puppy dog), but I don't depend on the praise or encouragement of anonymous internet trolls to support my sense of self-worth.
Of course, the constant, unstoppable, and very entertaining rush of idiots like you to lap at me feet damned near every post I make does indeed give a small, fleeting ego boost.
Apparently, if it pisses off unthinking, cognitively challenged folk such as yourself, I'm doing something right. ;)
Score: 0
|Of course you don't. You would die of loneliness waiting for it. The same could be said of your "love life". That's why you're a "self-starter"....
Score: 0
|Oh, get a life, loser.
Score: 0
|*yawn*
My 10 year old could do better, child.
Score: 0
|