We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Microsoft to patch Windows password flaw

Flaw affects Windows 2000, XP

Microsoft will today patch a Windows flaw that could give attackers access to passwords on a victim's system.

"During our ongoing research into the Windows Local Procedure Call (LPC) interface, we found an important vulnerability which could be used to gain elevated privilege and then execute code in the LSASS process," security vendor SkyRecon Systems said in a statement emailed to IDG News.

The flaw will be patched in Microsoft's upcoming set of security patches, set to be released around 7pm UK time Tuesday, the company said.

For the latest PC security news, reviews, tips and tricks, visit Security Advisor.

The Local Security Authority Subsystem Service (LSASS) process is used by Windows to manage account credentials in Windows. A LSASS bug was famously exploited by the Sasser worm in 2004, but this latest flaw appears to be far less serious.

That's because, unlike the Sasser vulnerability, this bug does not allow a remote attacker to run unauthorised software on a victim's computer. "If the vulnerability is exploited, there is a potential for saved passwords to be accessed by users that did not originally posses the proper credentials to access this sensitive information," SkyRecon said.

The flaw affects Windows 2000, XP and 2003 Server operating systems, and was reported to Microsoft in the last few months, according to SkyRecon, a security software vendor based in Paris.

Microsoft's public relations agency declined to comment on SkyRecon's alert, but last Thursday the software giant said that it planned to patch an important "local elevation of privilege" flaw that affected these three versions of Windows.

Because an attacker would first need to have a way of running software on the victim's system, the vulnerability is "semi-serious", said Eric Schultze, chief technology officer with Shavlik Technologies.

"Let's say you are hosting your website at an ISP and that ISP keeps many websites on that same server," he said via instant message. "If you can do that, you can upload the exploit, then run it via your web server... and then access passwords that you shouldn't be allowed to access."

Microsoft hasn't said much about the other security update it expects to release tomorrow, except to say that it is a critical bug-fix for Windows Vista and XP users because the vulnerability it fixes could be used by attackers to install unauthorised software on a victim's computer. This update is rated important for Windows Server 2003 users and considered moderate for Windows 2000.

In December, SkyRecon was credited with discovering another elevation of privilege flaw, this one in Windows Vista, that was fixed in Microsoft's last set of security updates.

IDG UK Sites

Apple promises developers better stability, performance for Swift

IDG UK Sites

5 things we hate about MWC: What it's like to be a journalist at a technology trade show

IDG UK Sites

Interview: Lauren Currie aims to help design students bridge skills gap

IDG UK Sites

12in Retina MacBook Air release date rumours: new MacBook Air to have fingerprint ID, could launch...