Feeds

back to article Crackers latch onto year-old Windows token vuln

Hackers have created exploits against a long-standing, unpatched Windows "token kidnapping" vulnerability. The appearance of attacks follows a year after security researchers Cesar Cerrudo informed Microsoft of the problem in March 2008. Microsoft acknowledged the potential issue in April and published workarounds in an advisory …

COMMENTS

This topic is closed for new posts.
Thumb Down

There's only one thing to say at a time like this...

Oops.

0
0
Tom
Silver badge

@Gavriel Vistica

I thought it was "Ouch! That's gonna leave a mark!"

Of course, with MS, it will be difficult to distinguish it from all the OTHER marks...

0
0
Linux

I Say It's Past The Time When The World Drop M$

It is closed-source software. Only M$ can fix what they made. They won't fix it in a timely fashion and there are too many vulnerabilities altogether. Depending on M$ to provide software for the world's computers is foolish.

It is time to go with FLOSS. At least with FLOSS we can fix anything that goes wrong and because the software is better designed there are fewer vulnerabilities.

CVE-2008-1436:

"Microsoft Windows XP Professional SP2, Vista, and Server 2003 and 2008 does not properly assign activities to the (1) NetworkService and (2) LocalService accounts, which might allow context-dependent attackers to gain privileges by using one service process to capture a resource from a second service process that has a LocalSystem privilege-escalation ability, related to improper management of the SeImpersonatePrivilege user right, as originally reported for Internet Information Services (IIS), aka Token Kidnapping."

For Pity's sake. They cannot get the basics right and then bury stuff ten levels deep in a GUI. It's a house of cards. Get out from under it before it falls on you.

0
0
This topic is closed for new posts.