The Register® — Biting the hand that feeds IT

Crackers latch onto year-old Windows token vuln

Gabriel Vistica

There's only one thing to say at a time like this... 

Posted Thursday 19th March 2009 08:38 GMT

Thumb Down

Oops.

Tom

@Gavriel Vistica 

Posted Thursday 19th March 2009 14:13 GMT

I thought it was "Ouch! That's gonna leave a mark!"

Of course, with MS, it will be difficult to distinguish it from all the OTHER marks...

Robert Pogson

I Say It's Past The Time When The World Drop M$ 

Posted Monday 23rd March 2009 10:30 GMT

Linux

It is closed-source software. Only M$ can fix what they made. They won't fix it in a timely fashion and there are too many vulnerabilities altogether. Depending on M$ to provide software for the world's computers is foolish.

It is time to go with FLOSS. At least with FLOSS we can fix anything that goes wrong and because the software is better designed there are fewer vulnerabilities.

CVE-2008-1436:

"Microsoft Windows XP Professional SP2, Vista, and Server 2003 and 2008 does not properly assign activities to the (1) NetworkService and (2) LocalService accounts, which might allow context-dependent attackers to gain privileges by using one service process to capture a resource from a second service process that has a LocalSystem privilege-escalation ability, related to improper management of the SeImpersonatePrivilege user right, as originally reported for Internet Information Services (IIS), aka Token Kidnapping."

For Pity's sake. They cannot get the basics right and then bury stuff ten levels deep in a GUI. It's a house of cards. Get out from under it before it falls on you.