Windows Server 2008, Still not totally secure
Argentina, 24 March 2008 - Argeniss announced today that the latest Microsoft operating system, Windows Server 2008, may not be as secure as it seems.
"Windows Server 2008 is the most secure Windows Server yet..."*
Argeniss conducted a quick security investigation of Windows Server 2008 based on old findings in previous Microsoft operating systems and while Windows
Server 2008 has improved security features and protections and is generally more secure than previous versions, Argeniss has identified some security
weaknesses that make some of the new security protections useless.
The problem discovered by Argeniss results from design issues that were not identified by Microsoft engineers during the Security Development Lifecycle
(SDL), and allows accounts commonly used by Windows services (NETWORK SERVICE and LOCAL SERVICE) to bypass new Windows services protection mechanisms and
elevate privileges to achieve complete control over the operating system.
The Argeniss discovery also affects Internet Information Services 7 in the default configuration, allowing ASP .NET applications to completely compromise
operating system security.
Also affected are Windows Vista, Windows XP, and Windows 2003. On Windows XP and Windows 2003 the problem is especially severe since any Windows service,
even when running under a low privileged account, can potentially break through the security protections and fully compromise the operating system. This
includes all web applications deployed on Internet Information Services 6.
Cesar Cerrudo, founder and CEO of Argeniss, will be demonstrating these security weaknesses at HITBSecConf2008 - Dubai on April 17th, 2008, in a presentation
entitled "Token Kidnapping".
HITBSecConf2008 - Dubai
14th - 17th April 2008 - United Arab Emrates
Argeniss (www.argeniss.com) is the leading global provider of application security services.
Argeniss services have helped top software vendors and companies to secure their products, servers and networks.
Argeniss is an information security company specialized on application security, offering worldwide services such as software auditing,
penetration testing and security training.
Velez Sarsfield 736 PA
Parana, Entre Rios