Microsoft will today patch a Windows flaw that could give attackers access to passwords on a victim's system, according to security vendor SkyRecon Systems.
"During our ongoing research into the Windows LPC (Local Procedure Call) interface, we found an important vulnerability which could be used to gain elevated privilege and then execute code in the LSASS process," SkyRecon said in an emailed statement.
The flaw was due to be patched in Microsoft's upcoming set of security patches, released around 11 a.m. Pacific time (7 p.m GMT) on Tuesday, the company said.
The LSASS (Local Security Authority Subsystem Service) process is used by Windows to manage account credentials in Windows. A LSASS bug was famously exploited by the Sasser worm in 2004, but this latest flaw appears to be far less serious.
That's because, unlike the Sasser vulnerability, this bug does not allow a remote attacker to run unauthorised software on a victim's computer. "If the vulnerability is exploited, there is a potential for saved passwords to be accessed by users that did not originally posses the proper credentials to access this sensitive information," SkyRecon said.
The flaw affects Windows 2000, XP and 2003 Server operating systems, and was reported to Microsoft in the last few months, according to SkyRecon, a security software vendor based in Paris.
Microsoft's public relations agency declined to comment on SkyRecon's alert, but last Thursday the software giant said that it planned to patch an important "local elevation of privilege" flaw that affected these three versions of Windows.
Because an attacker would first need to have a way of running software on the victim's system, the vulnerability is "semi-serious," said Eric Schultze, chief technology officer with Shavlik Technologies. "Let's say you are hosting your Web site at an ISP and that ISP keeps many Web sites on that same server," he said via instant message. "If you can do that, you can upload the exploit, then run it via your Web server... and then access passwords that you shouldn't be allowed to access."
Microsoft hasn't said much about the other security update it expects to release on Tuesday, except to say that it is a critical bug-fix for Windows Vista and XP users because the vulnerability it fixes could be used by attackers to install unauthorised software on a victim's computer. This update is rated important for Windows Server 2003 users and considered moderate for Windows 2000.
In December, SkyRecon was credited with discovering another elevation of privilege flaw, this one in Windows Vista, which was fixed in Microsoft's last set of security updates.