Microsoft has plugged a hole in its antivirus and antispyware software that could allow an attacker authenticated on the local system to gain LocalSystem privileges.
The fix for the privilege escalation vulnerability is included in an update to the Microsoft Malware Protection Engine. Since the malware protection updates are automatically applied, most end users and administrators won't need to do anything, Microsoft said in its advisory, issued yesterday. The update should be applied within 48 hours of the advisory release, or by the weekend.
The vulnerability is rated "important" for Windows Live OneCare, Microsoft Security Essentials, Windows Defender, Microsoft Malicious Software Removal tool, Forefront Client Security, and Forefront Endpoint Protection 2010.
"The update addresses a privately reported vulnerability that could allow elevation of privilege if the Microsoft Malware Protection Engine scans a system after an attacker with valid log-on credentials has created a specially crafted registry key," the advisory says. "An attacker who successfully exploited the vulnerability could gain the same user rights as the LocalSystem account. The vulnerability could not be exploited by anonymous users."
Workstations and terminal servers are primarily at risk, Microsoft said.