• Windows Vista Service Pack 1 and Windows Vista Service Pack 2
• Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
• Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 (Including Server Core Installation)
• Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 (Including Server Core Installation)
• Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
• Windows 7 for 32-bit Systems
• Windows 7 for x64-based Systems
• Windows Server 2008 R2 for x64-based Systems (Including Server Core Installation)
• Windows Server 2008 R2 for Itanium-based Systems

The vulnerability is caused due to insufficient validation on XML schema files performed by the Task Scheduler service. The Task Scheduler fails to properly check fields in unspecified XML schema files which could be accessed and manipulated via the Component Object Model (COM) interface. This vulnerability could be exploited by a local attacker by submitting malicious requests to the Component Object Model (COM) interface, which allows the attacker to manipulate a valid XML schema file. The Task Scheduler could allow the attacker to load tasks in the Task Scheduler while processing the modified malicious XML schema files. The task loaded by an attacker after exploiting this vulnerability would be running with SYSTEM privileges.

An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system.

Note: This vulnerability is being exploited by Stuxnet in order to escalate privileges up to SYSTEM level.

Workaround

• Principle of least privilege should be implemented.
• Explicitly remove ALLOW from the special permissions "Traverse folder/execute file and Create files/write data " for the 'Authenticated Users' Group.

1. Open Windows Explorer, go to location systemroot\Windows.
2. Locate the folder 'Tasks', right-click on the folder and click on Properties.
3. The Task Properties window will appear. Click on Security tab.
4. Under Group or User Names section, select Authenticated Users group; then select Advanced button. This will open Advanced Security Settings for Tasks window.
5. Under the Advanced Security Settings for Tasks window, from the Permission entries section, select Authenticated Users group. Then click Change Permission button. (In Vista, it will ask for the administrator privileges. In Windows 7, a new window will appear with administrator privileges for Advanced Security Settings for Tasks)
6. Again from the Permission entries section, select Authenticated Users group. Then click Edit button. The Permission Entry for Tasks window will appear.
7. By default, the Authenticated Users group have Allow permissions for: Traverse folder/execute file, List folder/read data, Read attributes, Read extended attributes, Create files/write data .
8. Deselect Allow boxes for the permissions: Traverse folder/execute file and Create files/write data.
9. Click OK
10. A warning message will appear for confirmation, Click Yes.
11. Then another warning message will appear for confirmation, Click Yes.
12. Click OK for changes made on rest of the dialog windows.
    

Impact of this workaround

•  The logged-in user will be able to run previously scheduled tasks.
• If the logged-in user is the member of Administrators/Backup Operators/Power Users/Server Operators group, user will be able to submit the tasks to the Task Scheduler service.
• If the logged-in user is not a member of groups mentioned in previous point. User will be unable to create any new task. In other words, logged-in user is unable to enter/write any new file at the location "systemroot\windows\tasks".