Microsoft has released a security bulletin
alerting customers to a privilege escalation vulnerability in its latest and greatest operating systems. Yes, the ones re-built from the ground up for heightened security. Whoops.
The bug occurs when you enable Microsoft's IIS webserver, or if you install the SQL database engine. When exploited, any code run under the IIS or SQL user can be instantly and invisibly upgraded to run under the LocalSystem account – which allows for modification to any file on the computer. Game over, basically.
The flaw is common to all Windows releases including Windows XP Service Pack 2, Windows Vista, Windows Server 2003, and Windows Server 2008. Embarrassingly, Vista is vulnerable even if you've applied the recently-released Service Pack 1
. Although there are no known exploits for the issue at the moment, it's still a pretty major hole, and one Microsoft will be keen to plug as soon as possible.
The good news is that because the flaw relies on IIS or SQL being active – aside from an attack against Server 2003 involving the Distributed Transaction Coordinator – it's mainly Windows-based web hosts who'll be sweating until Microsoft releases a patch.
Home users aren't completely off the hook, however: although the hole requires IIS or SQL to be installed and active, the flaw actually resides within Windows itself rather than in the add-on software – it's the way Windows handles the SeImpersonatePrivilege
that's at issue here. Accordingly, it's not inconceivable that an exploit could be written that would bypass this requirement and allow standard home installs to be attacked as well.
Anybody here relying on a Windows webhost and reading the advisory with trepidation, or is it an unlikely attack vector that no-one needs to worry about? Perhaps you're just annoyed at Microsoft missing this bit of shared code when it was creating Vista from scratch? Share your thoughts over in the forums.