Microsoft has warned of an unpatched security vulnerability in Windows that could put many website hosting providers at risk.

The bug affects a number of versions of Windows, including Windows XP Professional Service Pack 2, Windows Server 2003, Windows Vista and Windows Server 2008, and could allow malicious local users who have authentication to execute specially crafted code to raise their privileges to LocalSystem.

While only local users can exploit the flaw, this could be a problem for hosting providers running Internet Information Services (IIS) and SQL Server.

If a legitimate hosting user were to gain additional privileges, he could conceivably attack other sites hosted by the same provider.

"Hosting providers may be at increased risk from this elevation of privilege vulnerability," Microsoft said in the advisory.

The problem was first spotted by Cesar Cerrudo, of security provider Argeniss, who made a presentation on it at the recent Hack In The Box 2008 security conference in Dubai.

Cerrudo published his presentation here.

Microsoft isn't aware of any attacks that have used this vector so far. The company said it is investigating the issue and will later decide how to issue a fix.

"While the vulnerability is limited to a local privilege escalation, IIS’s susceptibility is concerning," McAfee researcher Karthik Raman noted in an advisory. "The web server is widely used on the internet, and is a top pick by web-hosting providers."

No patch is currently available, but Microsoft issued workaround instructions for IIS 6.0 and IIS 7.0.

Microsoft's next patch day is 13 May.