- Insider threat looms large in San Francisco
- Woman fired over death threat
- IT admin pleads not guilty
- Tape storage gets more dense
- Top 10 worst uses for Windows
News | Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
Microsoft has warned of an unpatched security vulnerability in Windows that could put many website hosting providers at risk.
The bug affects a number of versions of Windows, including Windows XP Professional Service Pack 2, Windows Server 2003, Windows Vista and Windows Server 2008, and could allow malicious local users who have authentication to execute specially crafted code to raise their privileges to LocalSystem.
While only local users can exploit the flaw, this could be a problem for hosting providers running Internet Information Services (IIS) and SQL Server.
If a legitimate hosting user were to gain additional privileges, he could conceivably attack other sites hosted by the same provider.
"Hosting providers may be at increased risk from this elevation of privilege vulnerability," Microsoft said in the advisory.
The problem was first spotted by Cesar Cerrudo, of security provider Argeniss, who made a presentation on it at the recent Hack In The Box 2008 security conference in Dubai.
Microsoft isn't aware of any attacks that have used this vector so far. The company said it is investigating the issue and will later decide how to issue a fix.
"While the vulnerability is limited to a local privilege escalation, IIS's susceptibility is concerning," McAfee researcher Karthik Raman noted in an advisory. "The web server is widely used on the internet, and is a top pick by web-hosting providers."
No patch is currently available, but Microsoft issued workaround instructions for IIS 6.0 and IIS 7.0.
Microsoft's next patch day is May 13.
Rss FeedRss Feed
Investment of a Technology should be 'held off' because there hasn't been enough investment in it yet? Is...- Anonymous
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask to prospective vendors to get the right endpoint solution.
Download the white paper.
Unauthorized applications: Taking back control
Employees installing and using unauthorized applications like IM, VoIP, games and peer-to-peer file-sharing applications cause many businesses serious concern. How do you control these applications?
Download the white paper.
Comment