Date: 15 October 2008
References: AA-2008.0093
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
AusCERT Update AU-2008.0020 - [Win]
Microsoft Security Advisory 951306 has recently been updated with details
of publicly available exploit code
15 October 2008
AusCERT Update Summary
----------------------
Product: Windows XP
Windows Vista
Windows Server 2003
Windows Server 2008
Operating System: Windows
Impact: Administrator Compromise
Access: Existing Account
CVE Names: CVE-2008-1436
Member content until: Wednesday, November 12 2008
Ref: AA-2008.0093
OVERVIEW
Microsoft Security Advisory 951306 (originally released on April
17 2008) has recently been updated with details of publicly
available exploit code. [1]
IMPACT
Successful exploitation of the vulnerability described in the
advisory would allow an authenticated user to elevate their
privileges to LocalSystem.
The exploit requires the authenticated user to be able to run code,
such as within Internet Information Services (IIS) and SQL Server.
Microsoft makes mention that hosting providers may be at increased
risk.
The vulnerability affects Windows XP (SP2 and SP3), and all
supported versions of Windows Vista, Windows Server 2003, and
Windows Server 2008.
MITIGATION
Currently there is no patch available - however Microsoft suggests
the following workarounds:
* IIS 6.0 - Configure a Worker Process Identity (WPI) for an
application pool in IIS to use a created account in IIS Manager
and disable MSDTC
* IIS 7.0 - Specify a WPI for an application pool in IIS Manager
* IIS 7.0 - Specify a WPI for an application pool using the Command
Line utility APPCMD.exe
Microsoft is investigating whether a service pack, a monthly
security update or an out-of-cycle security update should be
released.
REFERENCES
[1] Microsoft Security Advisory (951306): Vulnerability in
Windows Could Allow Elevation of Privilege
http://www.microsoft.com/technet/security/advisory/951306.mspx
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSPVrOyh9+71yA2DNAQIglwP9GS3NoL0JZxXCHIQuEzSwLwhJlAGOlINv
SYyX57lGycA4YS6Bw2uIzVPBC3TpgELnl6tNtalJJvUXuzE4REjCiy70XTROFwvV
sswsr0A7zme1pW8pagIoM2yc1DNUJPJ9P6r/ajwVJENHeHBM0qTIdp7odvPkyRk2
prlf9oPmu70=
=hac5
-----END PGP SIGNATURE-----
|