Microsoft to fix password flaw, says researcher

Breaking an unwritten code of conduct, security researchers at SkyRecon Systems said that a password vulnerability they had reported to Microsoft will be patched by the developer later Tuesday.

Typically, researchers who work with Microsoft wait for the software company to release its monthly patches before they go public with their own accounts or advisories.

"The patch is coming out later today," said Sean Martin, a researcher at the security firm, when asked why SkyRecon disclosed the vulnerability prior to Microsoft issuing a fix.

According to Martin, the vulnerability lets attackers elevate access privileges and run code in Windows' LSASS (Local Security Authority Subsystem Service), the process responsible for enforcing security policy in the operating system. "Someone could use this to gain system-level access and extract passwords out of the Windows storage," Martin said this morning, several hours before Microsoft was scheduled to roll out January's security updates.

Microsoft last patched LSASS in April 2004; within weeks of posting MS04-011, the Sasser worm used the bug to wreak havoc around the world.

Tuesday's vulnerability should be considerably less dangerous; last week Microsoft classified a then-vague vulnerability as "important" rather than the top-end "critical" and labeled it as a "local elevation of privilege," which means that an attack requires local access.

Martin confirmed Tuesday that the SkyRecon bug and the rights elevation flaw Microsoft previewed last Thursday are one and the same.

The bug affects Windows 2000, Windows XP and Windows Server 2003, but not Windows Vista, according to the advance notification.

Martin also said SkyRecon believes attackers would be able to access all Windows passwords by exploiting the LSASS vulnerability, even those that had been encrypted.

Microsoft generally releases its second-Tuesday-of-the-month security updates between 1 p.m. and 2 p.m. EST.