Click here to receive your FREE subscription to Campus Technology
News
Microsoft Investigating LocalSystem Access Bug
4/22/2008
Security personnel in Redmond are investigating a newly reported zero-day bug vulnerability in Microsoft operating systems and server systems. The bug, disclosed Thursday by Bill Sisk, security response communications manager for Microsoft, allows escalation of privilege to occur for authenticated users under specific conditions.
Users on a given system can elevate their access privileges to LocalSystem in Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, Sisk explained in an e-mail. It could cause havoc by giving an authenticated user inappropriate write, delete, and change privileges.
The fix for this potential problem is still in the works.
"Microsoft has issued Security Advisory (951306) to provide guidance to affected customers to help them protect themselves. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process," Sisk wrote.
The advisory is specifically addressed to IT pros overseeing an environment where several logged-in users provide their own code. Typically, programmers or administrators would have such rights. Specific cases include users working with Microsoft's Internet Information Services, which supports Web-based operational services, and SQL Server.
To address the issue, IT shops should keep at least a cursory, if not detailed, log of daily access to critical systems and applications. A segregation of duties program may be helpful too. Under such a regimen, programmers aren't deploying applications in a live production environment, and neither are the testers of those applications.
In the security advisory, Microsoft contends that companies providing space on their servers for use by off-site clients, or hosting providers, "may be at increased risk from this elevation of privilege vulnerability."
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. You can contact Jabulani at editor@entmag.com.
Cite this Site
copy text (above) for proper citation
Recommended Reading
- Gates Highlights R&D at CES08, Unveils Microsoft Touch Wall
Microsoft's Chairman Bill Gates spent a lot of time Wednesday talking about "empowering the workers" at the Microsoft's 12th annual CEO Summit 2008 in Redmond, WA, where he gave a keynote speech. However, Gates wasn't talking about political revolutions or even pay raises for office workers before the CEO crowd. Instead, he was referring to new software technologies that can better enable collaboration, social networking and decision-making on the job.
- Vista Vulnerability Study Puts Microsoft on Defensive
Microsoft and some independent security researchers had the blogosphere buzzing Wednesday over a series of denunciations after one company claimed that the Vista operating system was more vulnerable to malware and other exploits than previous operating systems.
- New Blackboard Sync Application Leverages Facebook
Blackboard Inc. today announced Blackboard Sync, an application that allows students to receive course updates and communicate with classmates while logged on to Facebook.
- Standards: The Sooner the Better
Technology solutions work best when they well together. That is why the nonprofit group IMS Global Learning Consortium is developing learning tools interoperability standards for the education technology community...
- U.K. Education Group Escalates Microsoft Complaints
A consultancy to the U.K. government has forwarded complaints about Microsoft's licensing and interoperability practices to the European Commission (EC), according to an announcement issued by the Becta consulting group Monday.
- University Students and Researchers Enjoy JavaOne
The JavaOne conference, held May 6-9 in San Francisco, brought together developers from industry, education, and other markets, filling the Moscone Convention Center with a wide array of sessions and exhibits for the open source Java developer community.
