Risk
High
Date Discovered
February 9, 2010
Description
Microsoft Windows is prone to a local privilege-escalation vulnerability that occurs in the kernel.
An attacker can exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts will cause a denial of service.
Recommendations
Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.
To exploit this vulnerability, an attacker requires local access to an affected computer. Grant local access for trusted and accountable users only.
Microsoft has released an advisory and updates. Please see the references for details.
UPDATE: Microsoft has released a notice stating that some customers have to restart their computers after installing the security updates for this vulnerability. Subsequently, Microsoft has removed the updates from Windows Update for the time being until the issue can be resolved. Microsoft recommends applying the workarounds described in MS10-015 to mitigate the vulnerability. We will update this BID as more information emerges.
UPDATE (February 18, 2010): Further investigation by the vendor indicates that the presence of the Alureon rootkit is the cause of the issues with the installation of the MS10-015 patch. A Windows 32-bit system infected with the Alureon rootkit will undergo a 'blue screen' crash after the security updates are installed. Since Alureon can infect only 32-bit systems, Microsoft has now opened up automatic updates of this patch for 64-bit platforms.
UPDATE (March 2, 2010): Updates available via Windows Update contain revised installation code to compensate for update problems on infected computers.
Credits
Tavis Ormandy of Google
Copyright © Symantec Corporation.Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from
secure@symantec.com.
Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and
secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
