Hosting providers and IT professionals have been warned of a threat posed to Microsoft IIS web servers through exploitation of vulnerabilities in Microsoft operating systems.
The vulnerability, known as "Token kidnapping", is a technique for the elevation of privileges on Windows operating systems.
The proof-of-concept for the technique was developed by Cesar Cerrudo, chief executive of security company Argeniss.
It exploits weaknesses that affect Windows Server 2003 and 2008, as well as Windows XP and Vista.
The technique works by elevating privileges through exploiting accounts on IIS servers that have rights to impersonate a client after authentication, Cerrudo told.
Impersonation is the ability of a thread to execute using different security information than the process that owns the thread.
The accounts can be exploited by "kidnapping" the token, an object that describes the security context of a process or thread.
Bill Sick, a spokesman for the Microsoft Security Response Center (MSRC), said that Cerrudo’s information appeared to be about a "design flaw" rather than a true vulnerability.
Sisk also downplayed the threat. "The presentation does not describe methods for an attacker to gain access to these trusted accounts," he told to the reporters of SearchSecurity.com.