Skip the navigation
News

Exploit code loose for six-month-old Windows bug

But Microsoft does not commit to a patch after researcher released attack

By Gregg Keizer
October 10, 2008 12:00 PM ET

Computerworld - Microsoft Corp. yesterday acknowledged that exploit code is circulating for a vulnerability it reported six months ago, but it has yet to patch.

It's not clear whether Microsoft intends to fix the flaw next week.

On Thursday, Microsoft revised a security advisory it first posted April 19 about a bug in Windows XP, Vista, Server 2003 and Server 2008 that could be exploited to gain additional privileges on vulnerable machines. "Exploit code has been published on the Internet for the vulnerability addressed by this advisory," confirmed Bill Sisk, a communications manager at Microsoft's Security Response Center in a post to the MSRC blog.

The vulnerability has a convoluted history.

In late March, Argentinean security researcher Cesar Cerrudo announced he had found a bug that could let attackers bypass some of the security schemes in the newest versions of the operating system, including Windows Server 2008. At the time, Sisk called Cerrudo's bug a "design flaw" rather than a vulnerability, and downplayed the threat.

Only after Cerrudo presented his findings at a security conference in April in the United Arab Emirates did Microsoft change its tune and call the flaw a security problem.

On Wednesday, Cerrudo posted a proof-of-concept (PoC) exploit for the months-old vulnerability. "It has been a long time since [my April] presentation was published, so I decided to release a PoC exploit for Windows Server 2003 that allows [you] to execute code under [a] SYSTEM account," Cerrudo said in the description of his exploit on milw0rm.com.

"Basically, if you can run code under any service in Windows Server 2003 then you can own Windows," he added. "So if you can run code from an ASP .Net or classic ASP Web application, then you can own Windows, too."

Microsoft has yet to issue a fix for the flaw; since April its own move has been to recommend work-arounds for customers running Internet Information Services.

Not only has Microsoft not patched the problem, but it continued to be noncommittal about a fix yesterday. "Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs," the advisory's boilerplate language read.

Sisk didn't promise a fix in his blog post, either. "We will continue to monitor the situation and post updates to the advisory and the MSRC blog as we become aware of any important new information," he said yesterday.

Also on Thursday, Microsoft published its monthly pre-patch notice outlining what would be fixed next week. Although six of the 11 expected updates will affect Windows, and two of those six will affect the editions called out by the April advisory, Microsoft does not provide enough detail prior to patching to determine whether one of those will fix the privilege elevation flaw.

Both of the potential updates were labeled as "important," Microsoft's second-from-the-top threat rating; the company typically ranks privilege elevation vulnerabilities as "important."

Microsoft will release October's security updates at approximately 1 p.m. EST on Tuesday.

Read more about Security in Computerworld's Security Topic Center.



Additional Resources
Forrester Consulting - Optimizing Users and Applications in a Mobile World
WHITE PAPER
Solving application issues over the WAN requires careful consideration. Based on their independent research, Forrester Consulting offers recommendations on how to tackle application performance issues, insufficient bandwidth and the inability to quickly restore users in a disaster.

Read now.

Security KnowledgeVault
WHITE PAPER
Security is not an option. This KnowledgeVault Series offers professional advice how to be proactive in the fight against cybercrimes and multi-layered security threats; how to adopt a holistic approach to protecting and managing data; and how to hire a qualified security assessor. Make security your Number 1 priority.

Read now.

Cut Communications Costs Once and for All
WHITE PAPER
New IP-based communications systems are being deployed by small and midsized businesses at a rapid rate. Learn how these organizations are enabling faster responsiveness, creating better customer experiences, speeding office or mobile interactions, and dramatically reducing existing communications costs.

Read now.

Security White Papers
Overcome Top 7 Admin Challenges of Active Directory
As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,...
Insiders Can Ruin Your Company. Take Action.
Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in...
Top Solutions and Tools to Prevent Devastating Malware
Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
X-Ray of the PCI Process-4 Proactive Steps
This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into...
Identity Governance: The Business Imperatives
This white paper describes the business challenges and opportunities that are driving interest in Identity Governance while discussing considerations your organization should make...
All Security White Papers
Security Webcasts
Live Webcast
Playing Defense: Staying on Top of Your Disaster Recovery Game
When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing...
Introduction to VMware vCenter Site Recovery Manager 5
Traditional disaster recovery solutions are often too expensive, complex and unreliable to meet business requirements. As a result, IT departments are hesitant to...
The Top Ten Secrets to Avoiding SAN Performance Problems
Maintaining peak performance while simultaneously addressing the root cause of SAN errors is challenging. Learn the most common SAN problems and explore new...
Deduplication Without Compromise
Go inside Quantum's scalable, high-performance, multi-protocol new DXi deduplication appliances, designed to make backup much more effective. Discover how the new future-proof DXi6700...
Director of Disk Products Discusses DXi6700
Discover how the new DXi 6700 series of deduplication appliances provide investment protection and a future-proof feature set, all while delivering fast, scalable,...
Playing Defense: Staying on Top of Your Disaster Recovery Game
When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing...
All Security Webcasts
Newsletter Sign-Up

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  1. View all newsletters | Privacy Policy
IT Jobs