[Microsoft Alert] Microsoft Security Bulletin MS06-011

Permissive Windows Services DACLs Could Allow Elevation of Privilege (914798)

Issued: March 14, 2006

Version: 1.0

 

Summary

Who should read this document: Customers who use Microsoft Windows 

Impact of Vulnerability: Elevation of Privilege

Maximum Severity Rating: Important

Recommendation: Customers should apply the update at the earliest opportunity

Security Update Replacement: None

 

Vulnerability Details:

A privilege elevation vulnerability exists on Windows XP Service Pack 1 on the identified Windows services where the permissions are set by default to a level that may allow a low-privileged user to change properties associated with the service. On Windows 2003 permissions on the identified services are set to a level that may allow a user that belongs to the network configuration operators group to change properties associated with the service. Only members of the Network Configuration Operators group on the targeted machine can remotely attack Windows Server 2003, and this group contains no users by default. The vulnerability could allow a user with valid logon credentials to take complete control of the system on Microsoft Windows XP Service Pack 1.

 

Affected Software:

Microsoft Windows XP Service Pack 1

Microsoft Windows Server 2003

Microsoft Windows Server 2003 for Itanium-based Systems

 

Non - Affected Software:

Microsoft Windows 2000 Service Pack 4

Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

Microsoft Windows XP Service Pack 2

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 Service Pack 1

Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems

Microsoft Windows Server 2003 x64 Edition

 

 

 

References: http://www.microsoft.com/security/bulletins/current.mspx (Microsoft Security Updates)

---