MS08-049 : When kind of authentication is needed?

MS08-049 is an update for the Windows Event System service to correct an authenticated elevation-of-privilege vulnerability. We received a question via email yesterday about the type of authentication needed to exploit CVE-2008-1456. Our security bulletin was a little ambiguous with one reference to “logon credentials” and another to “domain credentials”. The email question was from an IT security manager who wondered whether his hardened servers could be compromised remotely. He had disallowed local logon rights to regular users.

The Event System service runs in a shared svchost.exe process with the default svchost COM access permissions. That service ACL grants local or remote access to all Authenticated Users. The Authenticated Users group includes all domain users and all local workstation accounts on the targeted machine. However, the guest account, even if enabled, is not authenticated so COM will block the call, whether made locally or remote. The MSRC has updated the bulletin to be more precise.

We hope this clarifies the risk of this vulnerability. It is only rated “Important” due to its effect of authenticated elevation-of-privilege. However, an authenticated attacker can remotely compromise any unpatched Windows machine in your network that is domain joined, including your domain controller or Exchange server. It’s one of those “Importants” that is very important to address, so we highly recommend that you apply this update.

– SVRD Bloggers

*Postings are provided “AS IS” with no warranties, and confers no rights.*