Forum latest

Researchers: Microsoft to patch Windows password flaw
General
Written by Daniel   
Tuesday, 08 January 2008 13:35
Flaw that affects affects Windows 2000, XP, and 2003 Server could give attackers access to passwords on a victim's system

By Robert McMillan, IDG News Service
January 08, 2008
InfoWorld

Microsoft will patch a flaw in the Windows operating system Tuesday that could give attackers access to passwords on a victim's system, according to security vendor SkyRecon Systems.
"During our ongoing research into the Windows LPC (Local Procedure Call) interface, we found an important vulnerability which could be used to gain elevated privilege and then execute code in the LSASS process," SkyRecon said in a statement e-mailed to IDG News.

The flaw will be patched in Microsoft's upcoming set of security patches, set to be released around 11 a.m. Pacific time Tuesday, the company said.

The LSASS (Local Security Authority Subsystem Service) process is used by Windows to manage account credentials in Windows. A LSASS bug was famously exploited by the Sasser worm in 2004, but this latest flaw appears to be far less serious.

That's because, unlike the Sasser vulnerability, this bug does not allow a remote attacker to run unauthorized software on a victim's computer. "If the vulnerability is exploited, there is a potential for saved passwords to be accessed by users that did not originally posses the proper credentials to access this sensitive information," SkyRecon said.

The flaw affects Windows 2000, XP, and 2003 Server operating systems, and was reported to Microsoft in the last few months, according to SkyRecon, a security software vendor based in Paris.... More   Comment in the Forums
 
Don't Click Here Don't Click Here Either