Pressure has increased for IT administrators to deploy Microsoft's February security patches, with vulnerability researchers poking around for ways to exploit some of the latest
In particular, researchers have set their sights on the WebDAV Mini-Redirector flaw outlined in MS08-007 and the Internet Information Services (IIS) flaw addressed in MS08-006. The latter issue is of particular interest to researchers who say Microsoft is underplaying the risks.
MS08-006, which Microsoft rated "important," addressed local and remote flaws in IIS attackers could exploit to hijack a targeted machine. It affects Internet Information Services 5.0 on Windows 2000, Internet Information Services 5.1 on Windows XP; Internet Information Server 6.0 on Windows Server 2003; and Internet Information Services 7.0 on Windows Vista. In the "mitigating factors" section of the bulletin, Microsoft said that on supported editions of Windows Server 2003, if IIS is enabled and classic ASP is used, an attacker who successfully exploits the flaw can only obtain Network Service account privileges by default.
That statement is not entirely accurate, said Cesar Cerrudo, founder and owner of Argeniss Information Security.
"Microsoft should not mention as a mitigating factor that code execution is limited to Network Service account since it's known that it's easy to elevate privileges from Network Service to Local System account, and that allows full system compromise," he said, adding that he has personally discovered "many issues" in Windows XP, 2003, Vista and 2008 that allows elevation of privileges from the Network Service account to the Local System account.
In his opinion, Microsoft wrongly downplayed the ability for someone to elevate privileges from the Network Service account to the Local System account, and that IT shops need to be aware of the heightened risks they face, even though the flaw was not deemed critical by Microsoft.
Andrey Kolishchak, chief technology officer and cofounder of GentleSecurity, shared that view in an email exchange, saying the privileges of Network Service could be elevated to Local System, which is the most powerful administrative account on Windows.
"With the power of Local System, an attacker could fully compromise an IIS host by installing a backdoor, rootkit or by using it as a trampoline to attack other hosts on the internal network," he said. What's more, he said, is that the issue outlined in MS08-006 is not just related to IIS. For example, he said, "the same problem would appear if an exploited vulnerability would be found one day in SQL server. The exploit would be able to elevate any non-privileged SQL server account up to Local System."
Among the researchers looking at the IIS issue is HD Moore, creator of the popular Metasploit Framework penetration-testing tool. He released an article Wednesday offering extensive details on how to find, investigate and exploit MS08-006.
Meanwhile, Moore and others are finding ways to exploit the WebDAV Mini-Redirector flaw outlined in MS08-007. More explored how the flaw could potentially be targeted in an article titled "Fun with WebDav," complete with a video demonstration.
Microsoft noted in its critical MS08-007 bulletin that attackers could exploit in the Windows WebDAV mini-redirector to hijack targeted machines and install programs; view, change, or delete data; or create new accounts with full user rights.
Also being targeted by researchers is the "important" Microsoft Works flaw outlined in MS08-011.
A researcher using the nickname "chujwamwdupe" posted an advisory on the MilwOrm site, saying, "A vulnerability exists in WPS to RTF convert filter that is part of Microsoft Office 2003. It could be exploited by [a] remote attacker to take complete control of an affected system. This issue is due to [a] stack overflow error in [a] function that read [sections] from [a] WPS file. When we change size of for example TEXT section to [a] number [larger] than 0×10, [a] stack overflow occurs -- very easy to exploit."