Microsoft Security Advisory (2264072)

What is the scope of the advisory? 
The security advisory addresses the potential for attacks that leverage the Windows Service Isolation feature by helping to clarify the proper use and limits of the Windows Service Isolation feature, and by providing workarounds.

This security advisory also provides notification of an optional, non-security update available for download from the Microsoft Download Center to address an attack vector through Windows Telephony Application Programming Interfaces (TAPI).

Is this a security vulnerability that requires Microsoft to issue a security update? 
No. The Windows Service Isolation feature is an optional configuration that some customers may choose to deploy. This feature is not appropriate for all customers. Windows Service Isolation is a defense-in-depth feature and not a proper security boundary and should not be construed as such.

What is Windows Service Isolation feature? 
The Windows Service Isolation feature does not correct a security vulnerability, but instead is a defense-in-depth feature that may be useful for some customers. For instance, service isolation enables access to specific objects without the need to run a high-privilege account or weaken the security protection of the object. By using an access control entry that contains a service SID, a SQL Server service can restrict access to its resources. For more information about this feature and how to appropriately configure it, see Microsoft Knowledge Base Article 2264072.

What is the "impersonate a client after authentication" privilege? 
Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels.

What is the NetworkService Account? 
The NetworkService account is a predefined local account used by the service control manager. It has special privileges on the local computer and acts as the computer on the network. A service that runs in the context of the NetworkService account presents the computer's credentials to remote servers. For more information, see the MSDN article, NetworkService Account.

How is IIS affected by this issue? 
Systems running user-provided code in Internet Information Services (IIS) may be affected. For example, ISAPI filters, ISAPI extensions, and ASP.NET code running in full trust may be affected by this vulnerability.

IIS Servers are at a reduced risk to the attacks described in this advisory in the following scenarios:

• Default Installations of IIS 5.1, IIS 6.0, and IIS 7.0 block the attack vector from anonymous users because, in the default configuration, anonymous uploads are not allowed.
• All known attack vectors through IIS are blocked where ASP.NET is configured to run with a trust level lower than full trust.

In order to be successful on a Web server, an attacker would first have to add specially crafted Web content to an IIS Web site. An attacker could then use access to this specially crafted Web content to elevate to running processes as LocalSystem.

Normally, untrusted users are not allowed to add Web content to an IIS Web site. However, some Web hosts are more at risk to attacks because they explicitly offer hosting for third-party Web content.

IIS on Windows Server 2003 and Windows Server 2008 may be more at risk to this issue since the default worker process identity is NetworkService.

How could an attacker exploit the issue on an IIS server? 
An attacker could upload a specially crafted Web page to a Web site and use access to this page to elevate to running processes as LocalSystem. This can also include uploading specially crafted content to Web sites that accept or host user-provided content or advertisements. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.

How is SQL Server affected by this issue? 
Systems running SQL Server may be affected if a user is granted SQL Server administrative privileges (which would allow the user to load and run code). A user with SQL Server administrative privileges could run specially crafted code that is used to leverage the attack. However, this privilege is not granted by default.

How could an attacker exploit the issue on a SQL server? 
A user with SQL Server administrative privileges could run specially crafted code used to leverage the attack on the affected SQL server.

How is TAPI affected by this issue? 
For information on how Windows Telephony Application Programming Interfaces (TAPI) is affected by this issue, refer to the next section, Frequently Asked Questions specifically about the Windows Telephony Application Programming Interfaces (TAPI) Vulnerability - CVE-2010-1886.

What might an attacker use this issue to do? 
An attacker who successfully exploited this issue could run specially crafted code in the context of the LocalSystem account. An attacker could then install programs; view, change, or delete data; or create new accounts with full LocalSystem rights.

What systems are primarily at risk from this issue? 
All systems running software that is listed in the Overview section are at risk, but Windows XP Professional Service Pack 3 and all supported editions of Windows Server 2003 and Windows Server 2008 running IIS are at an increased risk.

In addition, IIS Web servers that allow users to upload code are at increased risk. This may include Web hosting providers or similar environments.

SQL Server systems are at risk if untrusted users are granted privileged account access.

I am using an older release of the software discussed in this security advisory. What should I do? 
The affected software listed in this advisory have been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, visit the Microsoft Support Lifecycle Web site.

It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Lifecycle Supported Service Packs.

Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.

Where can I find the non-security update for this vulnerability? 
The update is available for download from the Microsoft Download Center only. For more information about the update, including download links and the changes to behavior, see Microsoft Knowledge Base Article 982316.

What is the Windows Telephony Application Programming Interface (TAPI)? 
The TAPI server (TAPISRV) is the central repository of telephony data on a user computer. This service process tracks local and remote telephony resources, applications registered to handle Assisted Telephony requests, and pending asynchronous functions, and it also enables a consistent interface with telephony service providers (TSPs). For more information and a diagram that illustrates the relationship of the TAPI Server to other components and an overview of their roles, see Microsoft Telephony Programming Model.

What causes this threat? 
The vulnerability is due to the Windows Telephony Application Programming Interfaces (TAPI) transaction facility allowing the NetworkService token to be obtained and used when making an RPC call.

Is this a security vulnerability that requires Microsoft to issue a security update? 
No. This update implements a defense-in-depth change that some customers may choose to deploy. Customers who do not run IIS or SQL, or those who have implemented the workarounds listed below, should evaluate this defense-in-depth update before applying it.

This is a security advisory about a non-security update. Isn’t that a contradiction? 
Security advisories address security changes that may not require a security bulletin but may still affect customer’s overall security. Security advisories are a way for Microsoft to communicate security-related information to customers about issues that may not be classified as vulnerabilities and may not require a security bulletin, or about issues for which no security bulletin has been released. In this case, we are communicating the availability of an update that affects your ability to perform subsequent updates, including security updates. Therefore, this advisory does not address a specific security vulnerability; rather, it addresses your overall security.

Why is Microsoft issuing an update for this component? 
Although this is not a vulnerability that requires a security update to be issued, an attacker could elevate from NetworkService to LocalSystem using the TAPI service, which runs as system. An attacker must already be running with elevated privileges to exploit this issue. This service isolation was implemented as a defense-in-depth measure only and does not constitute a security boundary.

What systems are primarily at risk from this vulnerability? 
Systems running Windows Telephony Application Programming Interfaces (TAPI) are primarily at risk. This could include all systems running software that is listed in the Overview section. In addition, Windows XP Professional Service Pack 3 and all supported editions of Windows Server 2003 and Windows Server 2008 running IIS, IIS Web servers that allow users to upload code, and SQL Server systems where untrusted users are granted privileged account access are at an increased risk. This may include Web hosting providers or similar environments.

What might an attacker use this vulnerability to do? 
An attacker who successfully exploited this vulnerability could run specially crafted code with system-level privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must already have permissions to execute code as NetworkService in order to successfully exploit this issue.