Token Kidnapping – Fixed

A year ago… Cesar Cerrudo presented a serious vulnerability via evalvation of privilege involving the NetworkService or LocalService account specific to IIS worker process. Although Microsoft addressed this in April last year, but it was more towards workaround to get rid of the actual issue, and today after a long wait, and some serious testings, Microsoft releases a security bulletin update to close this gap, I have yet to test this :) busy again !!! and you should test it out in lab env before any production deployment, this KB detailed all the impacted files detail.

And read the blogs over at MSRC and SRD for more information about this issue.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>