Microsoft is investigating reports of a new flaw in Windows Vista and other versions of the operating system. Local users could exploit it to boost their system privileges and run malicious commands on the network.
Mike Reavey of the Microsoft Security Response Center (MSRC) said in a blog posting early Friday that the center is "closely monitoring" developments surrounding a public posting of proof-of-concept (PoC) code targeting an issue with the Windows Client/Server Runtime Server Subsystem (CSRSS).
"The PoC reportedly allows for local elevation of privilege on Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2 and Windows Vista operating systems," Reavey said. "Initial indications are that in order for the attack to be successful, the attacker must already have authenticated access to the target system."
Redwood City, Calif.-based security vendor Determina said in an advisory that the problem is in how CSRSS processes HardError messages. "This vulnerability allows a logged-on user to execute arbitrary code in the CSRSS.EXE process and elevate their privileges to SYSTEM level," Determina said, adding that the flaw was first disclosed Dec. 15.
Security researchers concluded that the vulnerability is primarily a danger in the hands of a malicious insider and is not remotely exploitable. For that reason, Danish vulnerability clearinghouse Secunia rated the flaw less critical, while the French Security Incident Response Team (FrSIRT) rated it a moderate risk.
FrSIRT said the specific Windows versions affected by the flaw are:
- Vista Home
- Vista Business
- Vista Enterprise
- Windows 2000 Service Pack 4
- Windows XP Service Pack 2
- Windows XP Service Pack 1
- Windows Server 2003 Service Pack 1
To mitigate the threat, Secunia recommended that IT shops only grant network access to trusted users.
Reavey said Vista users shouldn't be discouraged by the flaw. "While I know this is a vulnerability that impacts Windows Vista, I still have every confidence that Windows Vista is our most secure platform to date," he said.