Vulnerability Description
The ThreadPool class in Windows Vista Gold and SP1, and Server 2008, does not properly implement isolation among a set of distinct processes that (1) all run under the NetworkService account or (2) all run under the LocalService account, which allows local users to gain privileges by leveraging incorrect thread ACLs to access the resources of one of the processes, aka "Windows Thread Pool ACL Weakness Vulnerability."
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Microsoft | Windows Server 2008 | - |
| Microsoft | Windows Vista | - |
Related Weaknesses (CWE)
References
- http://osvdb.org/53668Broken Link
- http://www.securitytracker.com/id?1022044Third Party AdvisoryVDB Entry
- http://www.us-cert.gov/cas/techalerts/TA09-104A.htmlThird Party AdvisoryUS Government Resource
- http://www.vupen.com/english/advisories/2009/1026Permissions Required
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-01PatchVendor Advisory
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Third Party Advisory
- http://osvdb.org/53668Broken Link
- http://www.securitytracker.com/id?1022044Third Party AdvisoryVDB Entry
- http://www.us-cert.gov/cas/techalerts/TA09-104A.htmlThird Party AdvisoryUS Government Resource
- http://www.vupen.com/english/advisories/2009/1026Permissions Required
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-01PatchVendor Advisory
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Third Party Advisory
FAQ
What is CVE-2009-0080?
CVE-2009-0080 is a vulnerability with a CVSS score of 6.9 (MEDIUM). The ThreadPool class in Windows Vista Gold and SP1, and Server 2008, does not properly implement isolation among a set of distinct processes that (1) all run under the NetworkService account or (2) al...
How severe is CVE-2009-0080?
CVE-2009-0080 has been rated MEDIUM with a CVSS base score of 6.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-0080?
Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Windows Server 2008, Microsoft Windows Vista.