Reported July 13, 2004, by Microsoft

VERSIONS AFFECTED

  • Windows 2000

DESCRIPTION
A privilege-elevation vulnerability exists in the way in which Utility Manager launches applications. A logged-on user could force Utility Manager to start an application with system privileges, then take complete control of the system. A potential attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

VENDOR RESPONSE
Microsoft has released bulletin MS04-019, "Vulnerability in Utility Manager Could Allow Code Execution (842526)," to address this vulnerability and recommends that affected users apply the appropriate patch listed in the bulletin.

CREDIT
Discovered by Cesar Cerrudo of Application Security, Inc.