Questions about Microsoft Security Advisory 951306

I’m Dustin, a Security Program Manager in the Microsoft Security Response Center (MSRC).  We have received a few questions regarding a public issue and we wanted to update you on the status of how we plan to address it.


The issue revolves around Security Advisory 951306.  We originally posted this advisory in March as a result of an issues discussed publicly that described a method of using system tokens to elevate privileges on Windows XP and 2003 systems.  As always, we began our investigation and immediately realized it would not be trivial to address this issue without introducing new risks.  Because of that, we are still in the process of actively investigating and developing an update that you’ll be able to deploy broadly in confidence.  In the meantime, I want to remind you that Security Advisory 951306 contains some workarounds you can implement to better protect yourself.  We revised this advisory on October 8th to let customers know proof-of-concept code was made publicly available.  While systems administrators can use this code to determine if their systems are vulnerable, this does increase the risk of attackers exploiting the issue.  However, we are still not aware of any active attacks against this issue.  This attack requires an attacker to have met certain conditions that are common only in specific scenarios.  More information on the vulnerability and mitigating factors can be found in the Security Vulnerability Research and Defense (SVRD) Blog.


While this may seem like a long time period to create an update, we know customers want a high-level of quality in our updates – especially when we are dealing with low-level system components.  At times, that requires some extensive testing across multiple platforms.  You can take a look at the IIS team’s blog here to get a glimpse at why this is such a hard problem to address comprehensively and safely.


We will continue to monitor this issue and post updates to the advisory and the MSRC blog as we become aware of any important new information.  In the meantime, we encourage customers to review the advisory and implement the workarounds.




*This posting is provided “AS IS” with no warranties, and confers no rights.*