Reported December 14, 2004, by Microsoft
VERSIONS AFFECTED
|
· Microsoft Windows NT Server 4.0 Service Pack 6a · Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 · Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4 · Microsoft Windows XP Service Pack 1 · Microsoft Windows Server 2003 · Microsoft Windows XP 64-Bit Edition Service Pack 1 |
DESCRIPTION
Two new vulnerabilities exist in Microsoft Windows, both of which could result
in escalation of privileges on the vulnerable system. The first vulnerability
is in the way that the Windows Kernel launches applications. The other vulnerability
is in the way that LSASS validates identity tokens. Both vulnerabilities could
allow a logged-on user to take complete control of the system.
VENDOR RESPONSE
Microsoft has released Security
Bulletin MS04-044, "Vulnerabilities in Windows Kernel and LSASS
Could Allow Elevation of Privilege (885835)," to address these
vulnerabilities and recommends that affected users immediately apply the
appropriate patch listed in the bulletin.
CREDIT
Discovered by Cesar Cerrudo of Application Security
