Virus writers are trying to find a buyer for an exploit targeting a flaw discovered in Windows Vista in December—one dismissed by some researchers as low risk. However, one researcher said the privilege escalation exploit could be paired with a virus to bypass all of the privilege safeguards Microsoft built into Vista and execute at the system level.
“This exploit completely shatters the privilege safeguards,” said Marc Maiffret, chief hacking officer at eEye Digital Security. “It can elevate an unprivileged user to full system access.”
“Vista is supposed to be the most secure thing ever, according to Microsoft,” said Maiffret, “and here’s this exploitable flaw within just a few weeks of its release.”
The vulnerability in question affects four of Microsoft’s operating systems: Windows 2000 SP4, Windows Server SP1, Windows XP SP2 and Vista. Maiffret said the exploit “works against every version of Windows beyond 2000.”
Proof-of-concept code that targets the Client-Server Runtime Subsystem (CSRSS), which performs functions such as launching and closing applications, was publicly released late last month.
A user could launch malicious code within the CSRSS that would elevate privileges, such as going from an ordinary user to an administrator, Thomas Kristensen, chief technology officer for Secunia in Denmark, said in an earlier interview.
To execute the attack, however, a user would already have to be logged onto a machine or have gained access to the network some other way, Kristensen said. Because of this, Secunia rated the vulnerability as “less critical,” he said.
Still, the flaw could potentially let an attacker place a rootkit on a machine and scrub any trace of tampering with the machine, Kristensen said. “It’s still a significant vulnerability which administrators should pay a whole lot of attention to.”
Microsoft was recently made aware of potential vulnerabilities in Windows Vista, said a company spokesperson: “Microsoft is not aware of any active attacks or impact to customers as a result of these responsibly disclosed vulnerabilities. Once the investigation is complete, Microsoft will provide additional guidance to customers.”
“Windows Vista is not a silver bullet,” added the spokesperson. “Security issues will continue even with more secure operating systems, because the threat bar will continue to be raised and hackers will become more aggressive, and that is why Microsoft is taking a defense in-depth approach to helping protect users from malware.”
Maiffret agreed, but said he believes users, not Microsoft, are the last line of defense.
“At the end of the day, it’s still just humans writing code, and they will make mistakes,” said Maiffret. “Users should take this as a warning to be vigilant.”
-By Shawna McAlearney
Jeremy Kirk, IDG News Service, contributed to this report.