Microsoft Warns of Attacks Targeting the Windows Service Isolation Feature

Microsoft has issued a Security Advisory designed to inform customers of the potential attacks targeting the Windows Service Isolation, a feature which is included into all supported Windows operating systems, including Windows 7 and Windows Server 2008 R2.

According to the Redmond company, a problem has been identified in the manner in which the NetworkService token can be received and leveraged in association with RPC calls, via the Windows Telephony Application Programming Interfaces (TAPI) transaction facility.

Microsoft insists that this issue does not require a security bulletin to be patched, and that customers can already access an update that will bulletproof their systems against attacks. 


“Although this is not a vulnerability that requires a security update to be issued, an attacker could elevate from NetworkService to LocalSystem using the TAPI service, which runs as system,” Microsoft stated.

“An attacker must already be running with elevated privileges to exploit this issue. This service isolation was implemented as a defense-in-depth measure only and does not constitute a security boundary,” the company explained.

Evidently, customers running systems with Windows Telephony Application Programming Interfaces (TAPI) are most at risk from attacks attempting to exploit this flaw.

In this regard, they should turn to Microsoft Security Advisory (2264072) in order to gain additional information about the threat, but also get details on mitigating factors and workarounds.

At this point in time the non-security update for the Windows Telephony Application Programming Interfaces (TAPI) Vulnerability (CVE-2010-1886) is already available on the Microsoft Download Center.

“This issue affects scenarios where untrusted code is being executed within a process owned by the NetworkService account,” Microsoft said.
“In these scenarios, it is possible for an attacker to elevate from running processes as the NetworkService account to running processes as the LocalSystem account on a target server,” the company added.

“An attacker who successfully elevated to running processes as the LocalSystem account could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” the software giant said. 



Source