Microsoft Windows access controls may be improperly configured potentially allowing a local attacker to gain elevated privileges on a vulnerable system.
Microsoft Windows provides numerous, fine grained permissions and privileges to control access to Windows components, such as services, files, and registry entries.
Recent research has uncovered insecure configurations within user accounts and groups on Microsoft Windows systems. These configurations may allow local attackers to gain access to, and manipulate system resources. The researchers have developed a model that analyzes permissions to expose privilege escalation vulnerabilities. The research focused on three particular components of the Windows architecture:
A local user with valid login credentials may be able gain elevated privileges on a vulnerable Windows system.
These issues are corrected in Service Pack 2 for Microsoft Windows XP and Service Pack 1 for Microsoft Windows Server 2003. In addition, Microsoft Security Advisory 914457 and Microsoft Security Bulletin MS06-011 contain numerous workarounds to mitigate these vulnerabilities.
Macromedia, Inc. Affected
Microsoft Corporation Affected
Appgate Network Security Not Affected
Fujitsu Not Affected
Oracle Corporation Not Affected
ACROS SI Unknown
America Online, Inc. Unknown
Apache HTTP Server Project Unknown
Apple Computer, Inc. Unknown
Cisco Systems, Inc. Unknown
Funk Software Security Group Unknown
IAIK Java Group Unknown
InfoExpress, Inc. Unknown
Inner Media, Inc. Unknown
Lightspeed Systems, Inc. Unknown
Lotus Software Unknown
Lucent Technologies Unknown
MIT Kerberos Development Team Unknown
Mozilla, Inc. Unknown
Pragma Systems Unknown
RSA Security, Inc. Unknown
Skype Technologies Unknown
Sun Microsystems, Inc. Unknown
Symantec, Inc. Unknown
VanDyke Software Unknown
WRQ, Inc. Unknown
Watchguard Technologies, Inc. Unknown
Wind River Systems, Inc. Unknown
Yahoo, Inc. Unknown
These vulnerabilities were reported by Sudhakar Govindavajhala and Andrew W. Appel.
This document was written by Jeff Gennari.
|Date First Published:||2006-02-08|
|Date Last Updated:||2006-04-21 21:58 UTC|