Proof-of-concept exploit code for a privilege escalation vulnerability affecting all versions of Windows including Vista has been posted on a Russian hacker forum, forcing Microsoft to activate its emergency response process.
Mike Reavey, operations manager of the Microsoft Security Response Center, confirmed that the company is “closely monitoring” the public posting, which first appeared on a Russian language forum on Dec. 15. It affects “csrss.exe,” which is the main executable for the Microsoft Client/Server Runtime Server.
According to an alert cross-posted to security mailing lists, the vulnerability is caused by a memory corruption when certain strings are sent through the MessageBox API.
“The PoC reportedly allows for local elevation of privilege on Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2 and Windows Vista operating systems,” Reavey said in an entry posted late Dec. 21 on the MSRC blog.
“While I know this is a vulnerability that impacts Windows Vista I still have every confidence that Windows Vista is our most secure platform to date,” he added.
“Initial indications are that in order for the attack to be successful, the attacker must already have authenticated access to the target system. Of course these are preliminary findings and we have activated our emergency response process involving a multitude of folks who are investigating the issue in depth to determine the full scope and potential impact to Microsoft’s customers,” Reavey added.
The MSRC is expected to issue a formal security advisory with pre-patch workarounds. In the interim, the company is urging customers to enable a firewall, apply all security updates and install anti-virus and anti-spyware protection.
To date, there are no reports of actual attacks against Windows users.
The Microsoft confirmation comes hard on the heels of a claim by anti-virus vendor Trend Micro that underground hackers are selling zero-day exploits for Windows Vista at $50,000 a pop.
The Vista exploit which has not been independently verified was just one of many zero-days available for sale at an auction-style marketplace infiltrated by the Tokyo-based Trend Micro.
In a recent interview with eWEEK, Trend Micro’s chief technology officer, Raimund Genes, said prices for exploits for unpatched code execution flaws are in the $20,000 to $30,000 range, depending on the popularity of the software and the reliability of the attack code.