Click here to receive your FREE subscription to Campus Technology
News
Microsoft Investigating LocalSystem Access Bug
4/22/2008
Security personnel in Redmond are investigating a newly reported zero-day bug vulnerability in Microsoft operating systems and server systems. The bug, disclosed Thursday by Bill Sisk, security response communications manager for Microsoft, allows escalation of privilege to occur for authenticated users under specific conditions.
Users on a given system can elevate their access privileges to LocalSystem in Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, Sisk explained in an e-mail. It could cause havoc by giving an authenticated user inappropriate write, delete, and change privileges.
The fix for this potential problem is still in the works.
"Microsoft has issued Security Advisory (951306) to provide guidance to affected customers to help them protect themselves. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process," Sisk wrote.
The advisory is specifically addressed to IT pros overseeing an environment where several logged-in users provide their own code. Typically, programmers or administrators would have such rights. Specific cases include users working with Microsoft's Internet Information Services, which supports Web-based operational services, and SQL Server.
To address the issue, IT shops should keep at least a cursory, if not detailed, log of daily access to critical systems and applications. A segregation of duties program may be helpful too. Under such a regimen, programmers aren't deploying applications in a live production environment, and neither are the testers of those applications.
In the security advisory, Microsoft contends that companies providing space on their servers for use by off-site clients, or hosting providers, "may be at increased risk from this elevation of privilege vulnerability."
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. You can contact Jabulani at editor@entmag.com.
Cite this Site
copy text (above) for proper citation
Recommended Reading
- RIAA Outsources Fingering of Students Who Share Music Illegally
The RIAA is outsourcing the hunt for music thieves. Its largest target currently is those who operate from within colleges and universities, a move that has piqued the attention of Educause.
- Microsoft Expands Education Footprint in Asia Pacific Region
Microsoft Chairman Bill Gates announced new partnerships to extend accessibility and computer literacy in the Asia Pacific region during a speech in Jakarta at a government leader gathering earlier this week.
- IT Struggling Over Security, Compliance
IT pros are having a hard time balancing security, software patch management and IT auditing with a host of other duties, according to a survey released Monday by Shavlik Technologies.
- Toronto College Upgrades Network with Gigabit Ethernet Wireless Links
Toronto-based George Brown College has gone public about its deployment of six BridgeWave GE60 wireless links to upgrade its campus-wide network.
- Gates Highlights R&D at CES08, Unveils Microsoft Touch Wall
Microsoft's Chairman Bill Gates spent a lot of time Wednesday talking about "empowering the workers" at the Microsoft's 12th annual CEO Summit 2008 in Redmond, WA, where he gave a keynote speech. However, Gates wasn't talking about political revolutions or even pay raises for office workers before the CEO crowd. Instead, he was referring to new software technologies that can better enable collaboration, social networking and decision-making on the job.
- Vista Vulnerability Study Puts Microsoft on Defensive
Microsoft and some independent security researchers had the blogosphere buzzing Wednesday over a series of denunciations after one company claimed that the Vista operating system was more vulnerable to malware and other exploits than previous operating systems.
