Microsoft is aware of published information and proof-of-concept code that attempts to exploit overly permissive access controls on both default Windows XP Service Pack 1 and third-party (i.e., non-Microsoft) application services. This code also attempts to exploit default services of Windows Server 2003. If these attempts were successful, a user who has low user privileges could gain local or remote authenticated escalation. Microsoft has investigated these reports and the findings are summarized in the chart below.

The posted report claims potential threats to Windows XP Service Pack 2. Microsoft has confirmed that customers who run Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 are not vulnerable to Operating System issues because security-related changes were made to these service packs as part of our ongoing security improvement process. Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 may become vulnerable if third party application code is installed which adds services with overly permissive access controls.

While users who run Windows XP Service Pack 1 and Windows Server 2003 Gold may be at risk, the risk to Windows Server 2003 Gold users is extensively reduced. Only members of the network operators group on the targeted machine can remotely attack Windows Server 2003 Gold, and this group contains no users by default.

Questions have also been raised about services running under Windows 2000. No known User group escalations have been identified on Windows 2000. Scenarios have been identified involving Power User group members, but such users should be considered trusted users with extensive privileges and with an ability to change computer wide settings. For additional information on Power User rights please visit Microsoft Knowledge Base Article 825069. Windows 2000 may become vulnerable if third party application code is installed which adds services with overly permissive access controls.

Users are encouraged to contact their third-party software vendors whose products require services installation to determine if any non-default Windows services are affected.

Microsoft is not aware of any attacks attempting to use the reported vulnerabilities or of customer impact at this time. Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary.

Mitigating Factors:

? The latest Microsoft operating systems, including Windows XP Service Pack2 and Windows Server 2003 Service Pack 1 are not vulnerable to these issues.

? A malicious user who launches an attack based on the finder?s report would require at least authenticated user access to the affected operating systems. By default, Authenticated Users will include Domain Users for domain-joined clients

? Four of the six services identified (NetBT, SCardSvr, DHCP, DnsCache) require an attacker to already be running in a privileged security context. Additionally, the two services that do allow an Authenticated user to attack are vulnerable only on Windows XP Service Pack 1.

? Firewall best practices and standard default firewall configurations can help protect from attacks that originate outside the enterprise perimeter. Best practices also recommend that personal firewalls be used within a network and that systems connected to the Internet have a minimal number of ports exposed.


read more...