copyright | disclaimer | privacy | contact

HOME   About AusCERT   Membership   Contact Us   PKI Services   Training   Publications   Sec. Bulletins   Conferences   News & Media   Services   Web Log   Site Map   Site Help   Member login Login »  Become a member »   Home » Security Bul... » By Operating... » Windows (all) » AU-2008.0020 -- AusCERT Update - [Win] - Microsoft S...   AU-2008.0020 -- AusCERT Update - [Win] - Microsoft Security Advisory 951306 has recently been updated with details of publicly available exploit code Date: 15 October 2008 References: AA-2008.0093   Click here for printable version -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 AusCERT Update AU-2008.0020 - [Win] Microsoft Security Advisory 951306 has recently been updated with details of publicly available exploit code 15 October 2008 AusCERT Update Summary ---------------------- Product: Windows XP Windows Vista Windows Server 2003 Windows Server 2008 Operating System: Windows Impact: Administrator Compromise Access: Existing Account CVE Names: CVE-2008-1436 Member content until: Wednesday, November 12 2008 Ref: AA-2008.0093 OVERVIEW Microsoft Security Advisory 951306 (originally released on April 17 2008) has recently been updated with details of publicly available exploit code. [1] IMPACT Successful exploitation of the vulnerability described in the advisory would allow an authenticated user to elevate their privileges to LocalSystem. The exploit requires the authenticated user to be able to run code, such as within Internet Information Services (IIS) and SQL Server. Microsoft makes mention that hosting providers may be at increased risk. The vulnerability affects Windows XP (SP2 and SP3), and all supported versions of Windows Vista, Windows Server 2003, and Windows Server 2008. MITIGATION Currently there is no patch available - however Microsoft suggests the following workarounds: * IIS 6.0 - Configure a Worker Process Identity (WPI) for an application pool in IIS to use a created account in IIS Manager and disable MSDTC * IIS 7.0 - Specify a WPI for an application pool in IIS Manager * IIS 7.0 - Specify a WPI for an application pool using the Command Line utility APPCMD.exe Microsoft is investigating whether a service pack, a monthly security update or an out-of-cycle security update should be released. REFERENCES [1] Microsoft Security Advisory (951306): Vulnerability in Windows Could Allow Elevation of Privilege http://www.microsoft.com/technet/security/advisory/951306.mspx AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSPVrOyh9+71yA2DNAQIglwP9GS3NoL0JZxXCHIQuEzSwLwhJlAGOlINv SYyX57lGycA4YS6Bw2uIzVPBC3TpgELnl6tNtalJJvUXuzE4REjCiy70XTROFwvV sswsr0A7zme1pW8pagIoM2yc1DNUJPJ9P6r/ajwVJENHeHBM0qTIdp7odvPkyRk2 prlf9oPmu70= =hac5 -----END PGP SIGNATURE-----

Comments? Click here http://www.auscert.org.au/render.html?cid=21&it=9972