Executive Summary
| Summary | |
|---|---|
| Title | Vulnerability in Consent User Interface Could Allow Elevation of Privilege (2442962) |
| Informations | |||
|---|---|---|---|
| Name | MS10-100 | First vendor Publication | 2010-12-14 |
| Vendor | Microsoft | Last vendor Modification | 2010-12-14 |
| Severity (Vendor) | Important | Revision | 1.0 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 7.2 | Attack Range | Local |
| Cvss Impact Score | 10 | Attack Complexity | Low |
| Cvss Expoit Score | 3.9 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Revision Note: V1.0 (December 14, 2010): Bulletin published.Summary: This security update resolves a privately reported vulnerability in the Consent User Interface (UI). The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application on an affected system. An attacker must have valid logon credentials and the SeImpersonatePrivilege and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. |
Original Source
| Url : http://www.microsoft.com/technet/security/bulletin/MS10-100.mspx |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:12323 | |||
| Oval ID: | oval:org.mitre.oval:def:12323 | ||
| Title: | Consent UI Impersonation Vulnerability | ||
| Description: | The Consent User Interface (UI) in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly handle an unspecified registry-key value, which allows local users with SeImpersonatePrivilege rights to gain privileges via a crafted application, aka "Consent UI Impersonation Vulnerability." | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2010-3961 | Version: | 11 |
| Platform(s): | Microsoft Windows Vista Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows 7 | Product(s): | |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2010-12-15 | Name : Consent User Interface Privilege Escalation Vulnerability (2442962) File : nvt/secpod_ms10-100.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 69824 | Microsoft Windows Consent User Interface Local Privilege Escalation Microsoft Windows contains a flaw that may allow an attacker to gain access to unauthorized privileges. The issue is triggered when an error in the User Account Control (UAC) Consent UI component when processing certain registry values occurs, allowing a local attacker to use a specially crafted program to gain elevated privileges and execute arbitrary code. |
Information Assurance Vulnerability Management (IAVM)
| Date | Description |
|---|---|
| 2010-12-16 | IAVM : 2010-B-0117 - Microsoft Windows Consent User Interface Elevation of Privilege Vulnerability Severity : Category II - VMSKEY : V0025851 |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2010-12-15 | Name : A Windows component on the remote host is affected by a vulnerability that co... File : smb_nt_ms10-100.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2016-04-26 23:02:21 |
|
| 2014-02-17 11:46:48 |
|
| 2013-11-11 12:41:20 |
|
