Microsoft Security Advisory (2264072)
Elevation of Privilege Using Windows Service Isolation Bypass
Microsoft is aware of the potential for attacks that leverage the Windows Service Isolation feature to gain elevation of privilege. This advisory discusses potential attack scenarios and provides suggested actions that can help to protect against this issue. This advisory also offers a non-security update for one of the potential attack scenarios through Windows Telephony Application Programming Interfaces (TAPI).
This issue affects scenarios where untrusted code is being executed within a process owned by the NetworkService account. In these scenarios, it is possible for an attacker to elevate from running processes as the NetworkService account to running processes as the LocalSystem account on a target server. An attacker who successfully elevated to running processes as the LocalSystem account could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Although, in most situations, untrusted code is not running under the NetworkService identity, the following scenarios have been identified as possible exceptions:
- Systems running Internet Information Services (IIS) in a non-default configuration are at an increased risk, particularly if IIS is running on Windows Server 2003 and Windows Server 2008, because the default worker process identity on these systems is NetworkService.
- Systems running SQL Server where users are granted SQL Server administrative privileges are at an increased risk.
- Systems running Windows Telephony Application Programming Interfaces (TAPI) are at an increased risk.
For more detailed information about the above scenarios, see the section, Frequently Asked Questions. For the TAPI scenario, Microsoft is providing a non-security update. For more information about the non-security update, see the section, Frequently Asked Questions specifically about the Windows Telephony Application Programming Interfaces (TAPI) Vulnerability - CVE-2010-1886.
In addition, we are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
For more information about this issue, see the following references:
|Microsoft Knowledge Base Article||2264072|
|Microsoft Knowledge Base Article for TAPI non-security update||982316|
This advisory discusses the following software.
|Windows XP Service Pack 3|
|Windows XP Professional x64 Edition Service Pack 2|
|Windows Server 2003 Service Pack 2|
|Windows Server 2003 x64 Edition Service Pack 2|
|Windows Server 2003 with SP2 for Itanium-based Systems|
|Windows Vista Service Pack 1 and Windows Vista Service Pack 2|
|Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2|
|Windows Server 2008 for 32-bit Systems Service Pack 2|
|Windows Server 2008 for x64-based Systems Service Pack 2|
|Windows Server 2008 for Itanium-based Systems Service Pack 2|
|Windows 7 for 32-bit Systems|
|Windows 7 for x64-based Systems|
|Windows Server 2008 R2 for x64-based Systems|
|Windows Server 2008 R2 for Itanium-based Systems|
Microsoft thanks the following for working with us to help protect customers:
- Cesar Cerrudo of Argeniss for working with us on the Windows Telephony Application Programming Interfaces (TAPI) Vulnerability (CVE-2010-1886)
To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.
- You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us.
- Customers in the United States and Canada can receive technical support from Security Support. For more information about available support options, see Microsoft Help and Support.
- International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.
- Microsoft TechNet Security provides additional information about security in Microsoft products.
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (August 10, 2010): Advisory published.