Windows Server 2008, Still not totally secure

Argentina, 24 March 2008 - Argeniss announced today that the latest Microsoft operating system, Windows Server 2008, may not be as secure as it seems.

"Windows Server 2008 is the most secure Windows Server yet..."*

Argeniss conducted a quick security investigation of Windows Server 2008 based on old findings in previous Microsoft operating systems and while Windows Server 2008 has improved security features and protections and is generally more secure than previous versions, Argeniss has identified some security weaknesses that make some of the new security protections useless.

The problem discovered by Argeniss results from design issues that were not identified by Microsoft engineers during the Security Development Lifecycle (SDL), and allows accounts commonly used by Windows services (NETWORK SERVICE and LOCAL SERVICE) to bypass new Windows services protection mechanisms and elevate privileges to achieve complete control over the operating system.

The Argeniss discovery also affects Internet Information Services 7 in the default configuration, allowing ASP .NET applications to completely compromise operating system security.

Also affected are Windows Vista, Windows XP, and Windows 2003. On Windows XP and Windows 2003 the problem is especially severe since any Windows service, even when running under a low privileged account, can potentially break through the security protections and fully compromise the operating system. This includes all web applications deployed on Internet Information Services 6.

Cesar Cerrudo, founder and CEO of Argeniss, will be demonstrating these security weaknesses at HITBSecConf2008 - Dubai on April 17th, 2008, in a presentation entitled "Token Kidnapping".


*http://www.microsoft.com/windowsserver2008/en/us/overview.aspx



HITBSecConf2008 - Dubai 14th - 17th April 2008 - United Arab Emrates http://conference.hitb.org/hitbsecconf2008dubai/



--

About Argeniss

Argeniss (www.argeniss.com) is the leading global provider of application security services. Argeniss services have helped top software vendors and companies to secure their products, servers and networks. Argeniss is an information security company specialized on application security, offering worldwide services such as software auditing, penetration testing and security training.

--

Contact us

Velez Sarsfield 736 PA
Parana, Entre Rios
Argentina

E-mail: info>.at..dot.
Tel: +54-343-4316113 Fax: 1-801-4545614

Copyright 2009 Argeniss. All Rights Reserved.