Researchers: Microsoft to patch Windows password flaw

Microsoft will patch a flaw in the Windows operating system Tuesday that could give attackers access to passwords on a victim's system, according to security vendor SkyRecon Systems.

"During our ongoing research into the Windows LPC (Local Procedure Call) interface, we found an important vulnerability which could be used to gain elevated privilege and then execute code in the LSASS process," SkyRecon said in a statement e-mailed to IDG News.

The flaw will be patched in Microsoft's upcoming set of security patches, set to be released around 11 a.m. Pacific time Tuesday, the company said.

The LSASS (Local Security Authority Subsystem Service) process is used by Windows to manage account credentials in Windows. A LSASS bug was famously exploited by the Sasser worm in 2004, but this latest flaw appears to be far less serious.

That's because, unlike the Sasser vulnerability, this bug does not allow a remote attacker to run unauthorized software on a victim's computer. "If the vulnerability is exploited, there is a potential for saved passwords to be accessed by users that did not originally posses the proper credentials to access this sensitive information," SkyRecon said.

The flaw affects Windows 2000, XP, and 2003 Server operating systems, and was reported to Microsoft in the last few months, according to SkyRecon, a security software vendor based in Paris.

Microsoft's public relations agency declined to comment on SkyRecon's alert, but last Thursday the software giant said that it planned to patch an important "local elevation of privilege" flaw that affected these three versions of Windows.

Because an attacker would first need to have a way of running software on the victim's system, the vulnerability is "semi-serious," said Eric Schultze, chief technology officer with Shavlik Technologies. "Let's say you are hosting your Web site at an ISP and that ISP keeps many Web sites on that same server," he said via instant message. "If you can do that, you can upload the exploit, then run it via your Web server... and then access passwords that you shouldn't be allowed to access."

Microsoft hasn't said much about the other security update it expects to release tomorrow, except to say that it is a critical bug-fix for Windows Vista and XP users because the vulnerability it fixes could be used by attackers to install unauthorized software on a victim's computer. This update is rated important for Windows Server 2003 users and considered moderate for Windows 2000.

In December, SkyRecon was credited with discovering another elevation of privilege flaw, this one in Windows Vista, that was fixed in Microsoft's last set of security updates.