=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2011/VULN101
_____________________________________________________________________

DATE                      : 09/02/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Windows XP, Windows Server 2003.

======================================================================
KB2476687
http://www.microsoft.com/technet/security/Bulletin/MS11-010.mspx
______________________________________________________________________

Microsoft Security Bulletin MS11-010 - Important
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation
of Privilege (2476687)

Published: February 08, 2011

Version: 1.0

General Information

Executive Summary

This security update resolves a privately reported vulnerability in the Microsoft
Windows Client/Server Run-time Subsystem (CSRSS) in Windows XP and Windows Server
2003. This security update is rated Important for all supported editions of these
operating systems. For more information, see the subsection, Affected and
Non-Affected Software, in this section.

The vulnerability could allow elevation of privilege if an attacker logs on to a
user's system and starts a specially crafted application that continues running
after the attacker logs off in order to obtain the logon credentials of subsequent
users. An attacker must have valid logon credentials and be able to log on locally
to exploit this vulnerability. The vulnerability could not be exploited remotely
or by anonymous users.

The security update addresses the vulnerability by correcting the manner in which
user processes are terminated upon logoff.

Affected Software

Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems

Vulnerability Information

CSRSS Elevation of Privilege Vulnerability - CVE-2011-0030

An elevation of privilege vulnerability exists in the way that the Windows
Client/Server Run-time Subsystem (CSRSS) terminates a process when a user logs off.
An attacker who successfully exploited this vulnerability could run code designed
to monitor the actions of a user who subsequently logged on to the system. This
could allow the disclosure of sensitive information or access to data on the affected
systems that was accessible to the logged-on user. This sensitive data could include
the logon credentials of subsequent users, which an attacker might later use for
elevation of privilege or to execute code as a different user on the system. Note that
this vulnerability would not allow an attacker to execute code or to elevate their user
rights directly. It could be used to collect useful information to try to further
compromise the affected system. If a user with administrative privileges subsequently
logs on to the system, the attacker could run arbitrary code in kernel mode. An attacker
could then install programs; view, change, or delete data; or create new accounts with
full system rights.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================