Microsoft investigates new Windows zero-day flaw

By SearchSecurity.com Staff 18 Apr 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft is investigating reports of a new zero-day flaw in Windows attackers could exploit to access extra user privileges and launch malicious code.

Bill Sisk, security response communications manager for Microsoft, said in an email Thursday evening that the flaw allows for privilege escalation from authenticated user to LocalSystem in Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The software giant issued Security Advisory (951306) to offer affected customers some steps to mitigate the threat.

"Currently, Microsoft is not aware of any attacks attempting to exploit the potential vulnerability," the advisory said. "Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs."

Sisk's message follows alerts from such security vendors as McAfee, which warned of a potential ActiveX-based zero-day in the McAfee Avert Labs blog.

"A Microsoft Works ActiveX potential zero-day has been disclosed on a handful of Chinese blog sites," McAfee researcher Kevin Beets wrote in the blog. "This threat was originally posted as a proof of concept that caused a Windows host to crash, but very soon after, a working exploit was posted."

The flaw lies in an ActiveX component of Microsoft Works Image Server (WkImgSrv.dll) and successful exploitation could allow for code execution via a controlled pointer, Beets said. For this to occur, however, the victim would need to visit a malicious website.

Tags: Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Security: Alerts, Updates and Best Practices When BIOS updates become malware attacks Microsoft patches WebDAV security vulnerability in bevy of updates Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Hackers targeting unpatched Microsoft DirectShow flaw Microsoft warns of IIS zero-day vulnerability Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw How to perform Microsoft Baseline Security Analyzer (MBSA) scans Microsoft patches serious Excel zero-day, Windows flaws Microsoft Stirling Beta 2 release includes Exchange SaaS offering

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary BotHunter  (SearchSecurity.com) principle of least privilege (POLP)  (SearchSecurity.com) security identifier  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary