Exploit Code for 6 Month Old Unpatched XP SP3 and Vista SP1 Vulnerability

In mid-April 2008, Microsoft published an Advisory informing Windows users of a new vulnerability affecting its Windows server and client platforms, including Windows Vista Service Pack 1 and Windows XP Service Pack 3, but also Windows Server 2008 and Windows Server 2003. In the past six months, the Redmond company did not by any means rush to resolve this vulnerability, and labeled it with only an Important severity rating, meaning that the Windows flaw can only “allow elevation of privilege from authenticated user to LocalSystem”.

“Exploit code has been published on the Internet for the vulnerability addressed by this Advisory. Our investigation has shown that it does not affect customers who have applied the workarounds listed in the Advisory,” revealed Bill Sisk, Microsoft Security Response Center Communications Manager.

So far, Microsoft has not provided a patch to address the security vulnerability, but via the Advisory, the company is offering a few mitigations for impacted customers to bulletproof themselves against potential attacks. In this regard, for IIS 7.0, users can specify a WPI for an application pool using the Command Line utility APPCMD.exe; specify a WPI for an application pool in IIS Manager; while for IIS 6.0, they can configure a Worker Process Identity (WPI) for an application pool in IIS to use a created account in IIS Manager and disable MSDTC, according to Microsoft.

“At this time, we are not aware of attacks attempting to use the vulnerability. We will continue to monitor the situation and post updates to the Advisory (...) as we become aware of any important new information,” Sisk added.

Microsoft advised that impacted customers turn to the mitigations available via the Advisory in order to render useless any attacks making use of the exploit code released in the wild. At the time of writing this article, the Redmond giant failed to reveal any plan for a security update to be offered in the future.