Microsoft is in no hurry to patch a vulnerability which it managed to confirm approximately five months ago in mid-April 2008. On August 27, 2008, the Redmond company provided additional details about the security flaw that impacts a wide range of Windows operating systems, including Windows XP Service Pack 3 and SP2, Windows Vista RTM and SP1, Windows Server 2008 and Windows Server 2003. According to the Redmond company, outside of the x64 version of XP, both the 32-bit and 64-bit variants of all supported Windows client and server platforms are affected. The vulnerability, residing within Windows, can potentially allow an attacker to gain elevation of privileges from authenticated users to LocalSystem, in the context of a successful exploit.

 

But part of the reason why Microsoft is not rushing to deliver a patch is the fact that it hasn't detected any exploits designed to take advantage of this specific issue. "Microsoft is not aware of any attacks attempting to exploit the potential vulnerability. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs," the company noted.

 

In addition to the lack of attacks in the wild, the security issue is not putting end users to a sufficiently high degree of risk to catalyze a more urgent patch either. The general rule at Microsoft is that the level of danger is strictly correlated with the urgency of a security bulletin. Most exposed to this vulnerability are customers using Internet Information Services (IIS) and SQL Server (such as hosting providers) which permit third-party code to be executed and run in an authenticated context.

 

"Specially crafted code running in the context of the NetworkService or LocalService accounts may gain access to resources in processes that are also running as NetworkService or LocalService. Some of these processes may have the ability to elevate their privileges to LocalSystem, allowing any NetworkService or LocalService processes to elevate their privileges to LocalSystem as well," Microsoft added.

 

A patch is not available from the Redmond company but workarounds are provided in order to mitigate the risks associated with the security flaw.