Windows Security Update Targets Elevation of Privilege Attacks

Microsoft is continuing its investigation into a vulnerability that could allow hackers to gain superuser privileges on various flavors of the Windows OS.

Microsoft this week is continuing its ongoing investigation into what it calls "new public reports" of a vulnerability that could allow hackers to gain superuser privileges through LocalSystem in Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008.

Redmond late last week issued a Security Advisory adding Windows XP Professional Service Pack 3 to the list of affected software. The advisory provides IT pros with some guidance and workarounds to help avoid a vulnerability that may allow elevation-of-privilege attacks.

The software giant said it is considering other actions, including the provision of a "security update" via its monthly Patch Tuesday security rollout.

This latest update involves a highly technical attack vector similar in scope to a patch released in last April's slate, where a local privilege-escalation vulnerability affected the Windows kernel due to improper validation of user-mode input. In the same manner, with this advisory, an attacker who has gained local access can change user parameters and exploit this issue to execute code with elevated permissions.

Microsoft said in its advisory that administrators that allow customized code to "run in an authenticated context, such as within Internet Information Services (IIS) and SQL Server," should take a look at the advisory.

Off-site server hosting providers running Windows programs may also face increased risk, Microsoft added.

Potential workarounds include log-in and process monitoring specifically in Internet Information Services. Administrators can do this by creating a Worker Process Identity through the ISS manager function in Windows. The same can be done in SQL Server with the database administrator keeping track of users and changes to fields and access privileges.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Azure DevOps Server 2019 Now at Release Candidate 2

    Microsoft released Azure DevOps Server 2019 Release Candidate 2 (RC2), according to a Tuesday announcement.

  • Cloud IT Infrastructure Spending Starting To Take the Lead

    IDC this month published findings on revenues from cloud IT infrastructure spending in the third quarter of 2018, based on server, storage and Ethernet switch sales.

  • How To Run Oculus Rift Apps in Windows Mixed Reality, Part 1

    A lack of apps has been the biggest thorn in the side of Microsoft's mixed reality efforts. One way to get around it is to use apps that were designed for Oculus Rift instead.

  • Windows 10 Mobile To Fall Out of Support in December

    Microsoft will end support for the Windows 10 Mobile operating system on Dec. 10, 2019, according to an announcement.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.