But mitigations are in placeA Token Kidnapping vulnerability affecting Windows client and server operating systems via IIS and SQL Server has gone unpatched since April 2008, when Microsoft first informed the users of the issue. And even after proof of concept code for the security flaw has become available in the wild, the Redmond giant posted just an update to their original advisory and informed users that a patch is in the making, but failed to offer any deadline for the availability of the fix.
“While this may seem like a long time period to create an update, we know customers want a high-level of quality in our updates - especially when we are dealing with low-level system components. At times, that requires some extensive testing across multiple platforms,” revealed a member of the Microsoft Security Response Center.
The Security Advisory that Microsoft has in place offers several mitigations designed to bulletproof Windows operating systems against attacks exploiting the token kidnapping vulnerability. According to the Redmond company, applying the mitigations will render any exploit of the security flaw irrelevant. However, while Proof of Concept code is indeed available in the wild, Microsoft indicated that it had not discovered any attack targeting the token kidnapping vulnerability.
The MSRC representative explained that Microsoft had not provided a patch because the company “realized it would not be trivial to address this issue without introducing new risks. Because of that, we are still in the process of actively investigating and developing an update that you'll be able to deploy broadly in confidence”.
In addition to the mitigation techniques presented in the Security Advisory for the token kidnapping vulnerability, Jonathan Ness, from the Security Vulnerability Research & Defense team also discussed the issue, providing additional details.
“An attacker would need to be executing code in the context of a Windows service to use this exploit. More precisely, an attacker needs the SeImpersonatePrivilege privilege in their token in order to start the privilege escalation,” Ness stated. “IIS is a good attack vector in scenarios where a hosting provider hosts untrusted code. Cesar also points out the SQL Server scenario where a SQL DBA has admin rights to the database but not on the machine running the database.”
In addition, a Security Engineer for the IIS team also discussed the vulnerability and the steps necessary in order to address the problem even in the context of a missing patch from Microsoft.