Purpose of Advisory: To provide customers with the initial notification and provide additional information regarding the impact to Windows service accounts. For more information, see the Workarounds and Suggested Actions sections of the security advisory.

Advisory Status: Advisory published.

Recommendation: Review the suggested actions and configure as appropriate.

This advisory discusses the following software.

What is the scope of the advisory?
This advisory clarifies public reports of a potential vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Service Pack 2, Windows Server 2003, Windows Vista, and Windows Server 2008. The issue affects the software listed in the “Overview” section.

Is this a security vulnerability that requires Microsoft to issue a security update?
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our security update release process.

What causes this threat?
Specially crafted code running in the context of the NetworkService or LocalService accounts may gain access to resources in processes that are also running as NetworkService or LocalService. Some of these processes may have the ability to elevate their privileges to LocalSystem, allowing any NetworkService or LocalService processes to elevate their privileges to LocalSystem as well.

How is IIS affected?
User-provided code running in IIS, for example ISAPI filters and extensions, and ASP.NET code running in full trust may be affected by this vulnerability. IIS is not affected in the following scenarios:

How is SQL Server affected?
SQL Server is affected if a user is granted administrative privileges to load and run code. A user with administrative privileges could execute specially crafted code that could leverage the attack. However, this privilege is not granted by default.

Are there other vectors that an attacker could leverage?
Yes. On Windows Server 2003, an attacker can leverage the Microsoft Distributed Transaction Coordinator (MSDTC) service that runs as NetworkService to acquire a NetworkService token into a process that is running as an identity other than a service identity. An attacker can then use this NetworkService token to elevate to System if this process identity possesses the SeImpersonatePrivilege. This vector does not exist on Windows Server 2008 or Windows Vista.

What additional applications may be affected?
Any process with SeImpersonatePrivilege, as described in Microsoft Knowledge Base Article 821546, which loads and runs user-provided code may be susceptible to an elevation of privilege attack as described in this advisory.

What systems are primarily at risk from the vulnerability?
Windows XP Professional Service Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008 may be at risk if IIS is enabled or SQL Server is installed and configured or deployed in a vulnerable state as described by this advisory. IIS systems that allow users to upload code are at increased risk. SQL Server systems are at risk if untrusted users are granted privileged account access. This may include Web hosting providers or similar environments.