Secunia

Some vulnerabilities have been reported in Microsoft Windows, which can be exploited by malicious users to compromise a vulnerable system.

1) An error in the Microsoft Distributed Transaction Coordinator (MSDTC) transaction facility can be exploited by a process having the SeImpersonatePrivilege to run arbitrary code with NetworkService privileges.

2) The Windows Management Instrumentation (WMI) provider improperly isolates processes running under the NetworkService or LocalService accounts. This can be exploited to run arbitrary code with LocalSystem privileges by e.g. obtaining a SYSTEM token.

3) The RPCSS service improperly isolates processes running under the NetworkService or LocalService accounts. This can be exploited to execute arbitrary code with LocalSystem privileges.

4) Incorrect access control lists (ACLs) are placed on threads in the current ThreadPool. This can be exploited to execute arbitrary code with LocalSystem privileges.

Successful exploitation of the vulnerabilities requires the ability to run code in an authenticated context e.g via IIS (when ASP.NET code runs in full trust or via ISAPI extensions/filters) and SQL Server (when having administrative privileges to load and run code).

Solution
Apply patches.
Further details available in Customer Area

Provided and/or discovered by
Cesar Cerrudo, Argeniss

Changelog
Further details available in Customer Area

Original Advisory
Microsoft (KB951306):
http://www.microsoft.com/technet/security/advisory/951306.mspx

Microsoft (KB959454, KB952004, KB956572):
http://www.microsoft.com/technet/security/bulletin/ms09-012.mspx

Argeniss:
http://www.argeniss.com/research/TokenKidnapping.pdf

Deep Links
Links available in Customer Area